Discord token3/22/2023 The malware also has the capability to steal the browser cookies and send them to C2.Over the past few years, Sonatype had consistently been on top of discovering malicious packages infiltrating open source ecosystems like npm, PyPI, and GitHub. If a user changes their Discord credentials, a new token would get generated and this would trigger the malware again to send the details to its C2 server. The process then continues to run in the background and maintains all the tokens sent to the C2 in its local memory. The JSON payload structure in this malware is as follows Figure 11: Stolen Information sent to C2 as JSON payload Public IP address of the user obtained through a GET request to “ipinfo.io/json”įigure 10: User data response from Discord ServerĪfter collecting all the information, it creates a JSON payload for sending it to the webhook URL.The following information is collected by the malware by sending a request to the URL with the stolen token in the Authorization Header. Figure 9: Checks if the user has any payment info saved Using the stolen token, the malware sends an API request to the Discord server “/billing/payment-sources” route, to check if the user has any saved payment sources like credit/debit cards. Each token found is then appended to a Python List. Once a log file is obtained it reads the content into memory and searches for the Discord token/MFA pattern through the below regex r””. It then iterates through all the files inside the obtained directory and searches for files ending with. Then for each of the obtained paths, it creates a full path using string operation and points to the leveldb directory.įor example, the full path to the leveldb directory in Chrome would look like “C:\Users\*******\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\” Figure 8: Parsing files to steal Discord token The malware steals the token from the below mentioned browsers and apps Figure 7: Default location of browsers local storage Figure 5: Procedure for killing monitoring appsĪfter killing the identified network monitoring application, it sends a POST request with the following JSON containing “ready to log” message to the Discord webhook url “ hxxps//discordcom/api/webhooks/954910299654328380/SKmJo86TbjSj905A8TODrBL2vC5uwsmlXWNzGsphdrRfvC_aAwwTfl02Pcrv2LW2oC8G ” Figure 6: JSON payload sent during the start of malware activityĪfter the initial network request, it starts the activity to steal cookies and tokens of Discord. Figure 4: Imported ModulesĪfter downloading the required modules, it searches for all the processes running in the system and kills if the process name has any one of the strings “http, wireshark, fiddler, packet” in their name.įor ease of understanding, images shown below are from the extracted 333.pyc file. When the original malware sample is executed, it verifies and downloads the required python modules through pip if not found in the user’s PC. Figure 2: Extracted files from binary Behavioral Analysis Figure 3: Startup logo pyc files (including 333.pyc) from the zlib archive (overlay). The compiled sample has the actual malicious python script 333.py in the overlay. Further investigation showed that the malware’s source python script is compiled using PyInstaller to create a Microsoft Visual C payload. Let’s now look at the analysisĪs the first step of analysis, we used “Detect It Easy” to identify the compiler and its Microsoft Visual C . Upon analyzing the sample we found some interesting technique that describes how threat actors steal your credentials/any personal information stored in Discord a popular social networking app, by grabbing Discord’s authtokens. Recently we came across a Twitter feed that described a malware sample coded in Python and fairly new to have many detections (at the time of writing this blog) which attracted our interest in diving deeper into the sample.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |