Malware Analysis Abaddon analysis, using Discord as a C&C

[AnimO]

Hey guys,

we just finished analysing Abaddon, a RAT who uses Discord as a C2 and reported by Bleeping Computers.
Here's the final report if anyone is interested in how it works and what might the future of malwares will look like if more and more authors will focus on using Discord as a C2.

Report: Abaddon using Discord as a C2 | | Threat Lounge

Let me know what you think and enjoy your read!

 

[struppigel]

Good work!
I follow you on Twitter now and added your blog's RSS feed to see more of your analysis.

Some notes: Blocking legit discord domains, as you advise to do, is probably no good idea. Depends on the context of course, but generally, no.

Regarding the Yara rule. Searching for 2 byte sequences makes it very slow. Yara will search for it everywhere, find hundrets or thousands of matches and afterwards check if the condition is met. The MZ signature is preferably checked via uint16(0) == 0x5A4D

 

[AnimO]

Hi and thank you for your reply

Some notes: Blocking legit discord domains, as you advise to do, is probably no good idea. Depends on the context of course, but generally, no.

We had a debate on this topic since we don't believe that having any discord domains allowed on your corporate network without a good reason is a good think but, as you said, it depends on the context and your environment.

Regarding the Yara rule. Searching for 2 byte sequences makes it very slow. Yara will search for it everywhere, find hundrets or thousands of matches and afterwards check if the condition is met. The MZ signature is preferably checked via uint16(0) == 0x5A4D

Yup! Corrected it.

 

[ForgottenSeer 85179]

Thanks for that work!
I add missing Discord domains to NextDNS (per PR). Hope they include them.

Also i guess i found one error in the listed domains:
Is "bigbeans.solution" right? I only found "bigbeans.solutions" with s at the end which is also listed at Virustotal