[German]Small information for blog readers who use Discord service. Cyber criminals modify the AnarchyGrabber malware so that it can be used to harvest passwords in Discord. A new feature can also infect other friends of the victim.
Advertising
What is Discord?
Discord (also called Discordapp) is an online service for instant messaging, chat, voice and video conferencing, which was created mainly for computer players. Discord can be used as a web application or with proprietary client software on all common operating systems. Discord claims to have more than 250 million registered users.
What is AnarchyGrabber?
AnarchyGrabber is a malware which was developed to steal the discord access data of the victims. AnarchyGrabber is often distributed for free in hacker forums and YouTube videos. Cyber criminals try to spread the Trojan on Discord as 'cheat for games', hacking tool or protected software. I had already reported on such an approach in the German blog post Malware verwandelt Discord-Client in Trojaner in early April 2020.
New Password-Stealer AnarchyGrabber3
Bleeping Computer reports in the following tweet that cyber criminals are now stealing passwords with a modified AnarchyGrabber3 malware.
Discord client turned into a password stealer by new malware – @LawrenceAbramshttps://t.co/d9tVW7PTm3
— BleepingComputer (@BleepinComputer) May 24, 2020
While this is nothing fundamentally new. But the thread actors behind the new malware have modified it in such a way that the AnarchyGrabber3 grabber not only extracts passwords in plain text but also tokens. In addition, the two-factor authentication is deactivated and the malware can be distributed to friends of the victim via a command. It can be detected, that an AnarchyGrabber3 is installed, because it the file's:
Advertising
%AppData%\Discord\Discord\[version]\modules\discord_desktop_core\index.js
content of the Discord client has been modified. Other JavaScript files of the malware are loaded there. For example, an inject.js is loaded from the new 4n4rchy folder. In the unmodified version of the index.js there is probably only one command:
modules.exports = require('./core.asar');
If other commands are found there, there is a high probability of infection. Further details can be found at Bleeping Computer.
