Discord is an active target for attackers for being one of the popular chat platforms. This service is praised by gamers especially, and perfect exploitation could sometimes garner rich accounts. A new attack in the wild is stealing users’ login tokens from their own Discord clients, and transporting them to the attacker. This is possible by modifying the Discord client’s JavaScript files, as done by Anarchy Grabber malware, which was updated to evade detection now.
The Updated Malware
Discord has previously been accused of the same reason, as being weak in preparing its app for malware detection. Now the app’s being attacked for the same old reason. Anarchy Grabber is a well-known malware that’s infecting users via YouTube channels and hacking forums, which steals users Discord login tokens when they run the app.
These credentials are then transported to the hacker via his channel where he can use them for logging in as a user. The malware was originally an executable, which is easily flagged by antivirus software. So, Anarchy Grabber was upgraded by an attacker to the next version, where it now modifies the JavaScript files of Discord client to add attacker’s malicious files. These will be helping the attacker to steal those login tokens.
The new AnarchyGrabber2 will modify the AppData%\Discord\[version]\modules\discord_desktop_core\index.js to add attacker’s files, which are procured from 4n4rchy subfolder. And whenever the app’s being opened, it will load these malicious files again and again afresh. This would help to evade the antivirus detection, as even though the initial malware executable is flagged, the files will already be modified.
What Discord Can Do?
BleepingComputer finds a solution for such attacks – Client Integrity Check. This is to create a hash for each client file which will be changed whenever there’s a modification of files, thus detectable. This will be informed to users by a notification and check any file changes.
Via: BleepingComputer
