# New RAT malware gets commands via Discord, has ransomware feature **[bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/](https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) October 23, 2020 01:13 PM 0 The new 'Abaddon' remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware. Threat actors abusing Discord for malicious activity is nothing new ----- [In the past, we have reported on how threat actors use Discord as a stolen data drop or](https://www.bleepingcomputer.com/news/security/discord-abused-to-spread-malware-and-harvest-stolen-data/) [have created malware that modifies the Discord client to have it](https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/) steal credentials and other information. ## RAT uses Discord as a full C2 server [A new 'Abaddon' remote access trojan (RAT) discovered by MalwareHunterTeam, though,](https://twitter.com/malwrhunterteam/status/1319236824070500353) could be the first malware that uses Discord as a full-fledge command and control server. A command and control server (C2) is a remote host that malware receives commands to execute on an infected computer. When started, Abaddon will automatically steal the following data from an infected PC: Chrome cookies, saved credit cards, and credentials. **Code showing the stealing of Chrome data** ----- Steam credentials and list of installed games **Code showing Steam data theft** Discord tokens and MFA information. File listings System information such as country, IP address, and hardware information. Abaddon will then connect to the Discord command and control server to check for new commands to execute, as shown by the image below. ----- **Receive a task from the Discord server** These commands will tell the malware to perform one of the following tasks: Steal a file or entire directories from the computer Get a list of drives Open a reverse shell that allows the attacker to execute commands on the infected PC. Launch in-development ransomware (more later on this). Send back any collected information and clear the existing collection of data. The malware will connect to the C2 every ten seconds for new tasks to execute. Using a Discord C2 server, the threat actor can continually monitor their collection of infected PCs for new data and execute further commands or malware on the computer. ## Developing a basic ransomware One of the tasks that can be executed by the malware is to encrypt the computer with basic ransomware and decrypt files after a ransom is paid. ----- This feature is currently in development as its ransom note template contains filler as the developer works on this feature. **In-development ransomware component** With ransomware being extremely lucrative, it would not be surprising to see this feature completed in the future. ### Related Articles: [New stealthy Nerbian RAT malware spotted in ongoing attacks](https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-malware-spotted-in-ongoing-attacks/) [New NetDooka malware spreads via poisoned search results](https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads-via-poisoned-search-results/) [Hackers target Russian govt with fake Windows updates pushing RATs](https://www.bleepingcomputer.com/news/security/hackers-target-russian-govt-with-fake-windows-updates-pushing-rats/) [Ukraine supporters in Germany targeted with PowerShell RAT malware](https://www.bleepingcomputer.com/news/security/ukraine-supporters-in-germany-targeted-with-powershell-rat-malware/) [Eternity malware kit offers stealer, miner, worm, ransomware tools](https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/) [Command and Control](https://www.bleepingcomputer.com/tag/command-and-control/) [Discord](https://www.bleepingcomputer.com/tag/discord/) [Malware](https://www.bleepingcomputer.com/tag/malware/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [RAT](https://www.bleepingcomputer.com/tag/rat/) [Remote Access Trojan](https://www.bleepingcomputer.com/tag/remote-access-trojan/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-known-issue-blocking-windows-10-upgrades/) ----- [Next Article](https://www.bleepingcomputer.com/news/security/microsoft-adds-protection-for-critical-accounts-in-office-365/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----