Backdoor that steals information for new malware

New Malware: A new type is aimed at Discord users, modifying the Windows Discord client, so that it is transformed into a backdoor and a Trojan that steals information.

The Windows Discord client is an Electron application, which means that almost all of its functionality is derived from HTML, CSS and JavaScript. "This allows the malware to modify its core files so that the customer performs malicious behavior at startup."

Discovered by the researcher Malware Hunter Team earlier this month, malware - backdoor is called “Spidey Bot.”, based on the name of the Discord command and control channel with which the 'malware' communicated. Interestingly see in the article below a comment that, however, states that his real name is "BlueFace".

When installed, the malware adds its own malicious JavaScript to the % AppData% \ Discord \ [version] \ modules \ discord_modules \ index.js and % AppData% \ Discord \ [version] \ modules \ discord_desktop_core \ index.js files.

backdoor screen
Modified Discord index.js file

The backdoor malware will terminate and restart the Discord application for new JavaScript changes to take effect.

Once started, JavaScript will execute various Discord API commands and JavaScript functions to collect a variety of user information that will be sent via a Discord webhook to the attacker.

New Malware: information collected

The information collected and sent to the attacker includes:

  • Disagree user token
  • Victim's time zone
  • Screen resolution
  • Victim's local IP address
  • Victim's public IP address via WebRTC
  • User information such as username, email address, phone number and more
  • If they stored payment information
  • Zoom factor
  • Browser user agent
  • Discord version
  • The first 50 characters of the Windows clipboard victims

The content of the clipboard is of particular concern, as it may allow the user to steal passwords, personal information or other confidential data that has been copied by the user.

The Gightdio Function that acts as a backdoor in the new Malware

After sending the information, the Discord malware will execute the fightdio () function, which acts as a backdoor.

This function will connect to a remote site to receive an extra command to execute. This allows the attacker to perform other malicious activities, such as stealing payment information, if any, executing commands on the computer or potentially installing other 'malware'.

The site above is currently inactive, but it is not known whether a different sample uses a different site or not. In addition, a commentator below claims that the 'malware' has been discontinued, but we have no way of confirming this.

Researcher and reverse engineer Vitali Kremez, who also analyzed the malware, told BleepingComputer that the infection was seen using filenames like "Blueface Reward Claimer.exe" and "Synapse X.exe". Although he is not 100% sure how it is being spread, Kremez feels that the attacker is using Discord messages to spread the malware.

Since this infection shows no external indication that it has been compromised, a user has no idea that he is infected, unless he performs a network detection and sees unusual API calls and web hook calls.

If the installer is detected and removed, the modified Discord files will still remain infected and continue to run each time you start the client. The only way to clean the infection is to uninstall the Discord application and reinstall it so that the modified files are removed.

Worse, after more than two weeks, this Discord malware still has only 24/65 detections on VirusTotal.

How to check if you are infected with new Malware

Checking if your Discord client has been modified is very easy, since the target files usually have only one line of code.

To check the % AppData% \ Discord \ [version] \ modules \ discord_modules \ index.js, just open it in Notepad and it should contain only the single line “module.exports = require ('./ discord_modules.node' ); ”As shown below.

For the % AppData% \ Discord \ [version] \ modules \ discord_desktop_core \ index.js file, it must contain only “module.exports = require ('./ core.asar');” as shown below.

If one of the two files contains code other than the one shown above, uninstall and reinstall the Discord client and confirm that the modifications have been removed.

It is important to remember, however, that other malware can easily modify other JavaScript files used by the Discord client, so these instructions are only for that specific malware.

How Discord can protect you from malware threats

After publishing this article, we received many questions about how Discord can alert users to changes in the client.

Discord can do this by creating a hash for each client file when a new version is released. After installation, if the file is modified, that hash will be changed.

When the Discord client is started, it can perform a file integrity check and verify that the hashes of the current file match the standard hashes of the Discord client. If they are different, this file has been modified and the application may display a warning, such as the model we created below, which allows the user to continue loading the client or cancel it.

This check should be done using native code instead of another JavaScript file, which can be easily modified.

Update 10/24/19: Added sections on checking if specified JS files have been modified and how Discord can monitor these types of modifications.

Update 10/24/19 5:25 PM EST: Added information about the C2 being dead, that the real name for this infection may be BlueFace, and that the malware is said to be discontinued.

Per Lawrence Abrams

Source: //
Scroll to Top