Malware turns Discord client into password stealer .:. Andy Rixon
...
Malware turns Discord client into password stealer

New variant of the AnarchyGrabber trojan can steal plain text passwords

Hackers have updated the AnarchyGrabber trojan to a new version which is capable of stealing passwords and user tokens, disabling 2FA and spreading malware to a victim's friends as well.

This is the second update the trojan has received this year as it was also updated back in April to modify Discord client files in order to evade detection by antivirus software and steal user accounts every time someone logs into the popular chat service.

AnarchyGrabber is distributed for free on hacking forums and in YouTube videos and the trojan is used by cybercriminals on Discord who claim it is a game cheat, hacking tool or copyrighted software. Instead it modifies the Discord client's JavaScript files to turn it into malware that can steal a victim's Discord user token which is then used by an attacker to log into the popular chat service as the victim.

Hackers have now released a modified version of the AnarchyGrabber trojan with updated and more powerful features.

AnarchyGrabber3

AnarchyGrabber3 is a new variant of the popular malware which can steal a victim's plain text passwords and even command an infected client to spread malware to a victim's Discord friends. Since the attackers are now stealing plain text passwords, they can also use them in credential stuffing attacks in order to compromise a victim's other online accounts as well.

When installed, AnarchyGrabber3 will modify the Discord client's index.js file to load additional JavaScript files including a custom inject.js from a 4n4rchy folder as well a malicious file called discordmod.js. The malicious scrips will then log the user out of Discord and ask them to log in again.

When a victim logs in, the modified Discord client will try to disable 2FA on their account. The client then uses a Discord webhook to send the user's email address, login name, user token, plain text password and IP address to a Discord channel controlled by the attacker. The modified client will also listen for commands sent by the attacker once the victim is logged in. One of these commands can even be used to send a message to all of the victim's friends that contains malware the attackers want to spread.

This trojan is particularly dangerous because it makes it hard for average users to know they're infected as the AnarchyGrabber3 executable does not stay on a user's system or run again after it has modified the Discord client files.

Thankfully, it is quite easy to see if your system has been infected with AnarchyGrabber3. Simply open Discord's index.js file in %AppData%\Discord\[version]\modules\discord_desktop_core with Notepad and look for a single line of code that looks like this: “module.exports = require('./core.asar')”. If your client contains no other code, then it likely hasn't been infected with the trojan.

News by Andy Rixon, created 26 May, 2020

Share on
Find what you need
Looking for something specific?
Author Information

Andy Rixon

I am a kind individual that has high ambitions, sometimes too high if you ask me, but that doesn't stop me from trying to do the best that I can in life.

I enjoy a number of things, including but not limited to - gaming and web development.

For more information...
View Profile

© 2021 Andy Rixon
All images are copyright to their respective owners

Made with by VibeCMS
Follow on