Malware Analysis Abaddon analysis, using Discord as a C&C

A

AnimO

New Member
Thread author
Oct 25, 2020
2
Hey guys,

we just finished analysing Abaddon, a RAT who uses Discord as a C2 and reported by Bleeping Computers.
Here's the final report if anyone is interested in how it works and what might the future of malwares will look like if more and more authors will focus on using Discord as a C2.

Report: Abaddon using Discord as a C2 | | Threat Lounge

Let me know what you think and enjoy your read!
 
  • Like
  • +Reputation
  • Thanks
Reactions: bayasdev, ForgottenSeer 85179, McLovin and 11 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Good work!
I follow you on Twitter now and added your blog's RSS feed to see more of your analysis.

Some notes: Blocking legit discord domains, as you advise to do, is probably no good idea. Depends on the context of course, but generally, no.

Regarding the Yara rule. Searching for 2 byte sequences makes it very slow. Yara will search for it everywhere, find hundrets or thousands of matches and afterwards check if the condition is met. The MZ signature is preferably checked via uint16(0) == 0x5A4D
 
  • Like
  • +Reputation
Reactions: Protomartyr, Andy Ful, Gandalf_The_Grey and 3 others
A

AnimO

New Member
Thread author
Oct 25, 2020
2
Hi and thank you for your reply :)
struppigel said:
Some notes: Blocking legit discord domains, as you advise to do, is probably no good idea. Depends on the context of course, but generally, no.
Click to expand...
We had a debate on this topic since we don't believe that having any discord domains allowed on your corporate network without a good reason is a good think but, as you said, it depends on the context and your environment.

struppigel said:
Regarding the Yara rule. Searching for 2 byte sequences makes it very slow. Yara will search for it everywhere, find hundrets or thousands of matches and afterwards check if the condition is met. The MZ signature is preferably checked via uint16(0) == 0x5A4D
Click to expand...
Yup! Corrected it.
 
  • Like
Reactions: struppigel, Protomartyr, Gandalf_The_Grey and 3 others
F

ForgottenSeer 85179

Thanks for that work!
I add missing Discord domains to NextDNS (per PR). Hope they include them.

Also i guess i found one error in the listed domains:
Is "bigbeans.solution" right? I only found "bigbeans.solutions" with s at the end which is also listed at Virustotal
 
  • Like
  • Thanks
Reactions: struppigel and AnimO

Similar threads

CyberTech
    • Like
New Update Discord rolls out mobile update in quest to become better messaging app
Replies
0
Views
300
Social media
CyberTech
CyberTech
CyberTech
    • Like
Discord plans to let creators sell downloadable products
Replies
0
Views
373
News Archive
CyberTech
CyberTech
vtqhtr413
    • Like
    • +Reputation
A Discord bug is slowing down Nvidia graphics cards and this is the solution
Replies
1
Views
760
Hardware Discussions
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top