malware turned discord into info stealing backdoor

[spartaman64]

Quote

A new malware is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan.

The Windows Discord client is an Electron application, which means that almost all of its functionality is derived from HTML, CSS, and JavaScript. This allows malware to modify its core files so that the client executes malicious behavior on startup.

Discovered by researcher MalwareHunterTeam earlier this month, this malware is called "Spidey Bot" based on the name of the Discord command and control channel that the malware communicated with. A comment in the article below, though, claims it's real name is "BlueFace".

Quote

When installed, the malware will add its own malicious JavaScript to the %AppData%\Discord\[version]\modules\discord_modules\index.js and %AppData%\Discord\[version]\modules\discord_desktop_core\index.js files.

The malware will then terminate and restart the Discord app in order for the new JavaScript changes to be executed.

Once started, the JavaScript will execute various Discord API commands and JavaScript functions to collect a variety of information about the user that is then sent via a Discord webhook to the attacker.

Quote

The information that is collected and sent to the attacker includes:

Discord user token
Victim timezone
Screen resolution
Victim's local IP address
Victim's public IP address via WebRTC
User information such as username, email address, phone number, and more
Whether they have stored payment information
Zoom factor
Browser user agent
Discord version
The first 50 characters of the victims Windows clipboard
The contents of the clipboard is especially concerning as it could allow the user to steal passwords, personal information, or other sensitive data that was copied by the user.

After sending the information, the Discord malware will execute the fightdio() function, which acts as a backdoor.

This function will connect to a remote site to receive an extra command to execute. This allows the attacker to perform other malicious activity such as stealing payment information if it exists, executing commands on the computer, or potentially installing further malware.

Quote

 one commenter below states that the malware has been discontinued, but we have no way of confirming that.

Researcher and reverse engineer Vitali Kremez who also analyzed the malware told BleepingComputer that the infection has been seen using file names such as "Blueface Reward Claimer.exe" and "Synapse X.exe". While it is not 100% sure how it is being spread, Kremez feels that the attacker is using Discord messaging to spread the malware.

As this infection shows no outward indication that it has been compromised, a user will have no idea they are infected unless they perform network sniffing and see the unusual API and web hook calls.

If the installer is detected and removed, the modified Discord files will still remain infected and continue to be executed each time you start the client. The only way to clean the infection will be to uninstall the Discord app and reinstall it so that the modified files are removed.

Even worse, after over two weeks, this Discord malware still only has 24/65 detections on VirusTotal.

Quote

Checking if your Discord client has been modified is very easy as the targeted files normally have only one line of code in them.

To check the %AppData%\Discord\[version]\modules\discord_modules\index.js simply open it in Notepad and it should only contain the single line of "module.exports = require('./discord_modules.node');" as shown below.

Quote

For the %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file, it should only contain the "module.exports = require('./core.asar');" string as shown below.

 

source: https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/

 

I remember a while ago discord servers were warning that people were impersonating admins and sending links/asking for money so I wonder if something similar is spreading the malware. Before you click on a link or send someone money always make sure they are who you think they are from them number next to their name because discord allows duplicate names. And everyone with discord should check those files just in case.
 

[Flying Sausages]

OOOOF

[FunkmastaFlex]

I've been playing Borderlands 3 a lot lately and read malware as Maliwan

[Flying Sausages]

1 minute ago, FunkmastaFlex said:

I've been playing Borderlands 3 a lot lately and read malware as Maliwan

TAIWAN

[dfsdfgfkjsefoiqzemnd]

Yet another reason to avoid Discord like the plague. 

[jiyeon]

Good Lord, checked my .js files in %AppData% so fast. Happy to report I am not affected.

 

Discord never gets breaks, does it? Connection can get jaggy or downright go down, botspam to global public servers, predatory activity, and now subject to malware attacks.

[HarryNyquist]

Gee maybe this is why you shouldn't code an entire fucking windows application using a chromium browser and fucking goddamn pissing shitty ass javascript

 

 

[The1Dickens]

13 minutes ago, Tegos said:

Someone really needs to make a similar application, but better.

Discord by itself is already a privacy concern seeing as they keep an awful lot of user information, use process loggers, and also probably sell user data, not to mention their highly questionable staff.

 

Discord is shit and that's a fact, and the worst of all is, I have to force myself to use it because there's no alternative.

There's at least a dozen alternatives, half of which are fairly common. Mumble, TeamSpeak, Slack, Skype, Riot.im, Ventrilo, Overtone, Tox,  and Steam Chat to name a few.

 

As for the issue with Discord, if you do find yourself affected, does changing those files back to their default state mean are you golden? Would it be worthwhile to have a backup of those files that you can restore every quarter or so? Or are there other files that could also be affected, either with this attack or another? Any new files that could raise any red-flags, or if sorting by 'modified on' in the file directory would give any indication, etc.

[The1Dickens]

16 minutes ago, Tegos said:

I think "no alternative" wasn't exactly the correct phrasing for what I meant. My bad.

 

My problem with Discord is that while the platform's security and privacy (or the lack of those things) concerns bothers me, pretty much all my friends use it to communicate in a group, especially when we're playing games together. My real problem is that if I were to ditch Discord, I doubt most of my friends would make the move along with me, so for now I'm more or less stuck with it.

Deep down I think Discord is only successful for the commodities it offers, not exactly because of the voicechat.

Ah. Yeh, that part. Well, you can always try some of the alternatives and have your friends test them with you, before ditching Discord altogether. As for the privacy issue, that's going to be an uphill battle no matter what software you use. Lots of people think only criminals have to worry about privacy, sadly.

[MrFixitBlankFace]

Don’t give money to fake admins.

Don’t use the desktop version of discord.

Only use the web version.

[ManyCoresGuy]

I use the linux client so im good.

[Doobeedoo]

Oh wow quite messed up. 

[Pickles von Brine]

Looks like I got something to check when I get home...

[Pickles von Brine]

Well my stuff is clean. 

[Guest]

21 hours ago, Captain Chaos said:

Yet another reason to avoid Discord like the plague. 

Just the windows client. I just use the browser one cbf downloading it.

[Gegger]

i either use the linux version or web version

 

i have a "friend" that knows how to find discord tokens easily, without anything like that

 

supposedly discord needs to reprogram a huge chunk to fix it

[ryao]

22 hours ago, Captain Chaos said:

Yet another reason to avoid Discord like the plague. 

Or just avoid Windows. It seems that this junk got onto people’s systems through a malicious exe. Linux will not execute those unless you go out of your way to run them in wine.

 

This is yet another reason to run Linux.

[kirashi]

I feel like no one here has fully understood the article or the OP's post... Discord is no worse for your PC than Firefox, or Slack Chat, or VS Code, or Office 365, or your operating system itself, because using any software comes with some risks. What matters is your knowledge around using the software safely, which includes knowing how not to infect yourself with programs that shouldn't be installed, and knowing what to look for if you suspect you're already infected.

[ryao]

36 minutes ago, kirashi said:

I feel like no one here has fully understood the article or the OP's post... Discord is no worse for your PC than Firefox, or Slack Chat, or VS Code, or Office 365, or your operating system itself, because using any software comes with some risks. What matters is your knowledge around using the software safely, which includes knowing how not to infect yourself with programs that shouldn't be installed, and knowing what to look for if you suspect you're already infected.

To add to this, the machines were already compromised by a malicious executable. A modification to discord was the payload. It is not discord’s fault that someone ran malicious software on the machine. The blame seems best placed on Windows for encouraging people to run random executable files downloaded off the internet.
 

Microsoft could fix this by disabling execute permission on downloaded files (such that you need to go into the file properties and modify permissions to be able to execute them). However, I imagine there would be an uproar from the people who like the insecure status quo if they actually did that.

[mxk]

time to downgrade back to skype like when I was 12 playing black ops 2 

[SpaceGhostC2C]

On 10/24/2019 at 10:49 PM, spartaman64 said:

The Windows Discord client is an Electron application, which means that almost all of its functionality is derived from HTML, CSS, and JavaScript.

It's besides the point, but I tried installing Discord once, and always wondered why it worked so bad. I guess now I know.