- Sep 5, 2017
- 1,173
A new malware is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan.
The Windows Discord client is an Electron application, which means that almost all of its functionality is derived from HTML, CSS, and JavaScript. This allows malware to modify its core files so that the client executes malicious behavior on startup.
Discovered by researcher MalwareHunterTeam earlier this month, this malware is called "Spidey Bot" and when installed will add its own malicious JavaScript to the %AppData%\Discord\[version]\modules\discord_modules\index.js and %AppData%\Discord\[version]\modules\discord_desktop_core\index.js files.
The malware will then terminate and restart the Discord app in order for the new JavaScript changes to be executed.
Once started, the JavaScript will execute various Discord API commands and JavaScript functions to collect a variety of information about the user that is then sent via a Discord webhook to the attacker.
The information that is collected and sent to the attacker includes:
- Discord user token
- Victim timezone
- Screen resolution
- Victim's local IP address
- Victim's public IP address via WebRTC
- User information such as username, email address, phone number, and more
- Whether they have stored payment information
- Zoom factor
- Browser user agent
- Discord version
- The first 50 characters of the victims Windows clipboard
After sending the information, the Discord malware will execute the fightdio() function, which acts as a backdoor.
This function will connect to a remote site to receive an extra command to execute. This allows the attacker to perform other malicious activity such as stealing payment information if it exists, executing commands on the computer, or potentially installing further malware.
Researcher and reverse engineer Vitali Kremez who also analyzed the malware told BleepingComputer that the infection has been seen using file names such as "Blueface Reward Claimer.exe" and "Synapse X.exe". While it is not 100% sure how it is being spread, Kremez feels that the attacker is using Discord messaging to spread the malware.
As this infection shows no outward indication that it has been compromised, a user will have no idea they are infected unless they perform network sniffing and see the unusual API and web hook calls.
If the installer is detected and removed, the modified Discord files will still remain infected and continue to be executed each time you start the client. The only way to clean the infection will be to uninstall the Discord app and reinstall it so that the modified files are removed.
Even worse, after over two weeks, this Discord malware still only has 24/65 detections on VirusTotal.
