Hackers Use Discord to Steal Passwords
The publication Bleeping Computer warns that a new version of the AnarchyGrabber trojan is stealing users’ passwords and tokens, disabling two-factor authentication (2FA), and spreading malware to victims’ friends. To achieve this, cybercriminals modify the official Discord client.
Typically, attackers distribute AnarchyGrabber through Discord by disguising the trojan as a game cheat, hacking tool, or pirated software. If a victim falls for the bait, the trojan modifies the Discord client’s JavaScript files, turning it into malware capable of stealing the user’s token. With this token, hackers can log into Discord as the victim.
New Features in AnarchyGrabber3
Last week, a new version of AnarchyGrabber was discovered with several new features. Now called AnarchyGrabber3, the malware steals victims’ passwords in plain text and can use the infected Discord client to further spread the threat to all of the victim’s friends. Stolen passwords can also be used to compromise accounts on other websites.
After installation, AnarchyGrabber3 uses the file %AppData%\Discord\[version]\modules\discord_desktop_core\index.js in the Discord client to load additional JavaScript files added by the malware. As shown in the illustration below, when Discord is launched, the modified script loads a file named inject.js from a new folder called 4n4rchy.
This file then loads another malicious file into the client—discordmod.js. These scripts log the user out of the Discord client and prompt them to log in again.
How the Attack Works
Once the victim logs back in, the modified Discord client attempts to disable two-factor authentication for the account. The client then uses a webhook to send the email address, username, token, plain text password, and IP address to a special Discord channel controlled by the attackers.
After this, the “patched” Discord client waits for further commands from its operators. One command can instruct the compromised Discord clients to send malicious messages containing the same malware to all of the victim’s friends. Researchers note that this component makes it easier for criminals to spread AnarchyGrabber3 and can also be used to distribute other types of malware.
Why AnarchyGrabber Is So Dangerous
The main danger of AnarchyGrabber is that most victims don’t even know they’ve been infected. After running the AnarchyGrabber3 executable and modifying the Discord client files, the trojan doesn’t show any obvious signs and doesn’t run again. This means there’s no malicious process for antivirus software to detect, but the infected computer still remains part of a botnet.
In fact, the only way to remove AnarchyGrabber3 is to uninstall the Discord client and reinstall it from scratch.