Avast, a global leader in digital security and privacy solutions, discovered an online community of minors creating, sharing and distributing malware on the instant messaging service Discord.

The malware includes ransomware and a mix of information theft and cryptominer malware. The group attracts young users by advertising access to various malware kits and toolkits that laypeople can use to easily create malware. In some cases, users must first purchase access to the malware builder tool in order to join the group, in other cases they simply become a member of the group and receive an offer for the tool between five and 25 euros.  

The community uses special Discord servers as a discussion forum and sales outlet for the distribution of malware families such as “Lunar”, “Snatch” or “Rift”. These all follow the current malware-as-a-service trend. The discussion forums also reveal that age-related insults are uttered almost daily. Children also revealed their ages and discussed the idea of ​​hacking teachers and their school systems, and also mentioned their parents in these conversations. For example, one child mentioned that he preferred to pay via Amazon voucher to avoid having to use his mother's Paypal account. In a Discord group focused on selling “Lunar,” there were over 1,500 users, about 60-100 of whom were in a “customer” role who paid for the builder. The prices of malware builder tools vary depending on the type of tool and the length of time you have access to the tool.

Caption: Example of a price list for Lunar Builder; Image source: Avast / Discord; Find the high-resolution images here.
Caption: Example of a price list for Lunar Builder; Image source: Avast / Discord; Find here .
Caption: Examples of chat excerpts between the young people; Image source: Avast / Discord Find the high-resolution images here.
Caption: Examples of chat excerpts between the young people;
Image source: Avast / Discord Find here .

The types of malware shared among teens target both minors and adults, offering options such as password and private data theft, cryptomining, and even ransomware. For example, if a “customer” buys a builder tool and uses it to steal data, the generated malicious program sends all stolen data to the “customer” who created and distributed it. If a “customer” uses a tool to generate ransomware, the victim is asked to send money to the crypto wallet of the tool user in question. Other noticeable features include stealing game accounts, deleting Fortnite or Minecraft folders, or repeatedly opening a web browser with adult content - apparently just to play a prank on others.

BU: Lunar plugin for clearing Fortnite game data; Image source: Avast / Discord Find the high-resolution images here.
BU: Lunar plugin for clearing Fortnite game data;
Image source: Avast / Discord Find here .
BU: Lunar plugin for clearing Fortnite game data; Image source: Avast / Discord Find the high-resolution images here.
BU: Lunar plugin for clearing Fortnite game data;
Image source: Avast / Discord Find here .

“These communities may be attractive to children and teenagers because hacking is viewed as cool and fun. Malware builders offer an affordable and easy way to hack someone and brag about it to your peers. There is even the possibility of making money through ransomware, cryptomining and selling user data,” explains Jan Holman, malware researcher at Avast. “However, far from being harmless, these activities are criminal. They can have significant personal and legal consequences - especially if children reveal their own identities and those of their families online, or if the purchased malware actually infects the children's computer, leaving the entire family sharing the affected device vulnerable. Your information, including online accounts and banking information, may be shared with cybercriminals.”

Spreading malware via YouTube

After purchasing and assembling their custom malware, some of the teens used YouTube to market and distribute it.

Avast researchers have observed “customers” creating a YouTube video that purports to show information about a cracked game or game cheat that they link to. However, in reality, the URL led to their malware. To create trust for their video, they ask other people on Discord to like and comment on the video, thereby confirming the supposed authenticity of the video. In some cases, they have even asked other people to comment that it is a false positive if antivirus software detects the file as malicious. “This technique is quite insidious because instead of fake accounts and bots, real people are used to classify harmful content as harmless content.

Because people with real accounts work behind the scenes to comment positively on the content, the malicious link appears more trustworthy and can therefore entice more people to click on it and download infected files,” comments Jan Holman. When monitoring the online communities, Avast found that despite the group members' mutual support for pranks, but also for the theft of information and money, there were discussions that quickly became very turbulent.

A significant level of arguing, instability and bullying was generally observed among users. This sometimes went as far as the appropriation of one user's code base by another and the latter's defamation. Malware builders are tools that allow users to create malicious files without having to code anything.

Normally, users only have to select the functions and adjust details such as the icon. There are several builder-based malware families that have similar user interfaces with slightly different layouts, color palettes, names, and logos. These are typically short-lived projects based on source code from GitHub or another builder that has been given a new logo and name, and sometimes slightly reworked or added new features. Avast detected and blocked the malware spread on the servers and informed Discord about the existence and actions of these groups. Discord confirmed that the platform will take action against these types of communities and has blocked the corresponding servers.

How to protect children from malicious online activities:

Children should generally be taught to be critical of online offerings that seem attractive at first glance - for example, when it comes to supposedly new features in games that are not available in the official stores or when it comes to supposed preview versions of games. Parents should also educate their children about the importance of password security and explain to them that they should never share their passwords with others, even if they appear to be friends or game masters offering to help.

Basically, for the safety of younger children, it is important that they do not reveal any personal information when using messaging platforms such as Discord or in-game chats in multiplayer games such as Minecraft. In addition, children also need an ethical orientation about what is right and wrong in the digital space. What may seem daring and cool can cause serious harm to others and even constitute a criminal offense. Children may think they are safe because they are not yet legally responsible, but their parents are. It is important that parents talk to their children about this topic. Discord itself also recommended to Avast that parents adjust the platform settings so that their child cannot receive messages from strangers. More safety tips for parents can be found

Discord blog For more information, visit: blog.avast.com/kids-discord-hacking-groups

Also read: Cybercriminals steal Discord account credentials


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )