Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday October 26 2019, @01:28AM   Printer-friendly
from the don't-click-on-untrusted-links dept.

Discord 'Spidey Bot' Malware Is Stealing Usernames, Passwords

Submitted via IRC for soylent_green

Discord 'Spidey Bot' Malware Is Stealing Usernames, Passwords

Called "Spidey Bot" by its discoverers, the Windows malware injects itself into Discord's code and steals your username, email address, IP address, phone number and Discord user token.

The malware also copies the first 50 characters of your Windows clipboard, which might contain your password if you've copied and pasted it recently, and creates a "backdoor" so that more malware can be installed. Macs don't seem to be affected.

If you're not familiar with Discord, it's chat software often used by PC gamers that has also been picked up lately by people who've been kicked off Reddit and Twitter for particularly unsavory comments. 

It's not totally clear yet how the Discord malware gets on your machine. Malware researcher Vitali Kremez suspects it's being passed around in Discord chats as cheats for Roblox and other games. Kremez told Bleeping Computer two files names he'd seen were "Blueface Reward Claimer.exe" and "Synapse X.exe". 

Unfortunately, you won't be able to tell if your Discord application is infected. [UPDATE: It turns out you can -- see Discord Turned Into an Info-Stealing Backdoor by New Malware.][Reproduced in part below] Even if you do, you'll have to delete the Discord software and reinstall it to make sure you're clean. All you can do is make sure you're running the best antivirus software, which should block the malware.

Discord itself doesn't seem to be too helpful in responding to user concerns.

Unfortunately, there's not much any app can do to prevent something like this. However, you should always be cautious about clicking strange links and even more suspicious of downloading unknown software from unverified sources. Doing so could lead to things like this.October 24, 2019

Hi there, and sorry for the scare. This isn't actually an issue with the code, but it is on the user end. To protect yourself from this don't click on untrusted links and do not download and run programs from sources you do not know or trust.October 24, 2019

Sorry for the confusion there, this isn't a vulnerability. This is done by installing another program that modifies Discord on your computer. As long as you don't download any unknown or untrusted programs you should be a-okay!October 24, 2019

But sadly, Discord is right. There's not that much the software maker can do from its end at the moment, except maybe to tell people to access Discord on their phone or gaming console instead of on a PC or Mac.

Discord Turned Into an Info-Stealing Backdoor by New Malware

A new malware is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan.

The Windows Discord client is an Electron application, which means that almost all of its functionality is derived from HTML, CSS, and JavaScript. This allows malware to modify its core files so that the client executes malicious behavior on startup.

Discovered by researcher MalwareHunterTeam earlier this month, this malware is called "Spidey Bot" and when installed will add its own malicious JavaScript to the %AppData%\Discord\[version]\modules\discord_modules\index.js and %AppData%\Discord\[version]\modules\discord_desktop_core\index.js files.

The malware will then terminate and restart the Discord app in order for the new JavaScript changes to be executed.

Once started, the JavaScript will execute various Discord API commands and JavaScript functions to collect a variety of information about the user that is then sent via a Discord webhook to the attacker.

The information that is collected and sent to the attacker includes:

  • Discord user token
  • Victim timezone
  • Screen resolution
  • Victim's local IP address
  • Victim's public IP address via WebRTC
  • User information such as username, email address, phone number, and more
  • Whether they have stored payment information
  • Zoom factor
  • Browser user agent
  • Discord version
  • The first 50 characters of the victims Windows clipboard

The contents of the clipboard is especially concerning as it could allow the user to steal passwords, personal information, or other sensitive data that was copied by the user.

How to check if you are infected

Checking if your Discord client has been modified is very easy as the targeted files normally have only one line of code in them.

To check the %AppData%\Discord\[version]\modules\discord_modules\index.js simply open it in Notepad and it should only contain the single line of "module.exports = require('./discord_modules.node');" as shown below.

Normal discord_modules\index.js file

For the %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file, it should only contain the "module.exports = require('./core.asar');" string as shown below.

Normal discord_desktop_core\index.js file

If either of the two files contain code other than what is shown above, then you should uninstall and reinstall the Discord client and confirm the modifications are removed.

It is important to remember, though, that other malware can just as easily modify other JavaScript files used by the Discord client so these instructions are only for this particular malware.


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Saturday October 26 2019, @10:45PM (1 child)

    by Anonymous Coward on Saturday October 26 2019, @10:45PM (#912212)

    %AppData%\Discord\[version]\modules\discord_modules\index.js and %AppData%\Discord\[version]\modules\discord_desktop_core\index.js

    What kind of bizzare operating system uses backslashes in a filesystem path?

  • (Score: 2) by Freeman on Monday October 28 2019, @04:21PM

    by Freeman (732) on Monday October 28 2019, @04:21PM (#912872) Journal

    I'll give you a hint. It's one of the largest Operating Systems on the planet. Both figuratively and bloat wise. No, no, we're not talking about Android here. Android's still relatively lean by comparison, unless you count # of bloatware apps.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"