Criminals Use Collaboration Platforms to Spread Malware, Research Finds

Collaboration platforms used by employees have become a prime target for attackers seeking to take advantage of telework and the security risks this new paradigm entails, according to new research.

People — and employees especially — need to stay in touch with friends and coworkers while staying at home. The available collaboration platforms can fill that void, but they also come with security issues that can be difficult to mitigate.

We think of malware as transmitted via back channels or fraudulent messages, but that’s not really the case. Abusing existing collaboration platforms to spread malware is just one of the known methods, and it usually comes with some advantages for attackers.

“Attackers are increasingly abusing the communications platforms that many organizations use to facilitate employee communications,” says Talos in its research. “This allows them to circumvent perimeter security controls and maximize infection capabilities. Over the past year, adversaries are increasingly relying on these platforms as part of the infection process.”

Since these are well-established platforms, it gives an attack more credence and allows attackers to bypass or trick some of the existing security solutions. Criminals don’t limit their use of this platform to just spreading malware, but for component retrieval and C2 and data exfiltration as well.

“The use of applications like Discord and Slack may also provide an additional means to perform the social engineering required to convince potential victims to open malicious attachments,” the researchers also explain.

Victims are more likely to click on links or open attachments if they see messages from colleagues or an established platform. Moreover, rooms controlled by threat actors are also used for communications. For example, Discord has been used to spread some threats, including Thanatos, LimeRAT, Remcos and many others.

For malware delivery, files are transmitted between users by attaching them in channels. “Files are stored within the Content Delivery Network (CDN) that the platform provider operates, allowing server members to access these files as they appeared when they were originally attached,” says Talos.

Of course, because these attacks come from known and trustworthy services and the communication takes place over HTTPS, criminals can more easily obfuscate their content. Adding another layer of compression using known types, such as ACE, ISO, makes it even more difficult to investigate the payloads.

The fact that the same systems are used for content delivery and communication with command and control centers only make it more critical for companies to filter out malicious domains from their networks. Using collaboration platforms for malware distribution looks more and more like a game that’s just started.