A new malware attacks Discord users by converting the Windows Discord application to a backdoor and information-stealing Trojan.
Modified Discord index.js file
The data gathered and forwarded to the intruder includes:
- Discord account code.
- Timezone of the victim.
- Screen resolution.
- Resolution Local IP address of the victim.
- Public IP address of the victim via WebRTC.
- Username, email address, telephone number and more details.
- Whether the payment information has been preserved.
- Level of zoom.
- User agent browser.
- Diskord edition.
- Windows archive of the first 50 characters of the victims.
The contents of the clipboard refer in general to the user’s ability to steal passwords, personal information or other sensitive information copied by the user.
After the information is sent, the malware Discord executes the combatdio) (function, which serves as a backdoor.
This feature links to a remote site for an additional executable command. It allows an attacker to perform certain malicious activities, including stealing payment information, executing commands on the device, or downloading additional malware if appropriate.
The backdoor component
Scientists and reverse technicians Vitali Kremez, who also examined the malware, said the infection could be seen using the file names “Blueface Reward Claimer.exe” and “Synapse X.exe.” While it is not 100 percent certain how it spreads, Kremez believes that the hacker is distributing the malware through Discord messages.
As no clear evidence of this infection is present, a client will not be aware that they are infected if they do not sniff in the network and see the odd APIs or web hook calling.
The changed Disk files would continue to be corrupted and executed every time you start up the server if the installer is identified and disabled. The only way to clean up the infection is to uninstall and reinstall the Discord software to delete modified data.
Even worse, after more than two weeks, this Discord malware still has only 24/65 VirusTotal detections.