Cybersecurity experts have identified a Remote Access Trojan (RAT) named PySilon. This Trojan takes advantage of the popular social platform Discord to maintain persistence on infected systems. Discord, known for its real-time communication features, has evolved into a hub for various communities beyond its gaming origins. However, its API capabilities have also made it a target for malicious activities.
Discord bots are automated programs that perform specific server tasks, ranging from server management to music playback. Reports by ASEC Lab indicate that these bots are typically developed using programming languages like Python and JavaScript and interact with servers through the Discord API. While they enhance user experience, they can also be manipulated for nefarious purposes.
PySilon represents a concerning case where RAT malware is implemented using a Discord bot. The full source code of this malware is available on GitHub, raising alarms about its potential spread. Communities on platforms like Telegram further facilitate its distribution and customization.
The PySilon builder allows users to customize the malware by specifying details such as the Server ID and bot token required for creating a Discord bot. This information is embedded into pre-written Python code and converted into an executable file using PyInstaller. When executed on a victim’s PC, the malware creates a new channel on the attacker’s server and sends initial system information, including IP address details, via chat. Each infected PC gets a dedicated channel, enabling the attacker to control it individually.
Upon execution, PySilon self-replicates in the user folder to ensure persistence by adding to the system’s RUN registry key for execution at startup. The malware can also customize the folder name used for replication and contains anti-virtual machine (VM) logic to detect virtual environments and avoid execution within them.
Attackers can execute various commands through the created channels, allowing them to perform malicious activities such as information collection, screen and audio recording, keylogging, and folder encryption using the Fernet algorithm. The open-source nature of PySilon makes it easy for threat actors to integrate its code into seemingly benign bots, making it challenging for users to detect such malware since data transmission occurs via official Discord servers used for legitimate bot functions.
The rise of open-source projects like PySilon highlights a growing trend of exploiting popular cybercrime platforms. This demonstrates the need for heightened vigilance and robust cybersecurity measures to protect against evolving threats in the digital landscape.