The message rar attachment contains an executable file: the malware itself. Stolen data is exfiltrated with smtp.
MalwareHunterTeam/Bleeping Computer: Cybercrime is abusing Discord since years to host and spread malware. This, thanks to a chat service feature
Discord is being abused by cybercrime since years to host malware, that use it as command and control servers, or by modifying the client to perform malicious behavior. It has been discovered by MalwareHunterTeam cyber security experts. According to Bleeping Computer, the chat service allows members to upload files to a channel so that others can download them. Users can then right-click on an uploaded file and select the “Copy link” option to get a URL that can be shared with others, even non-Discord users, in order to download the file. Furthermore, the uploader can delete files within the Discord, but the URL can still be used to download them. This feature is being used by developers as an easy and anonymous way to distribute infections, as NanoCore RAT, screenlockers, keyloggers, and Roblox cookie stealers.
The cyber security experts: Discord contains “webhooks”. It’s also commonly used to send information on infected users
According to the cyber security experts, Discord contains a feature called webhooks that allows websites or external applications to send messages to a Discord channel. When creating webhooks, the server owner will be given a special URL that is used with the Discord API to send messages to the specified channel. Like all useful features, developers of malware such as ransomware, information-stealing Trojans, RATs, and more can abuse webhooks to send information to the attacker when a user is infected. This feature is also commonly used by malware that steals victim’s tokens, which can then be used by the attacker to login as that particular Discord user. MalwareHunterTeam also found an example of an NPM package that was using webhooks to steal Discord user tokens.