A new strain of malware turns Windows Discord client into the information-stealing Trojan
Warning! Discord users have been targeted by malware which can cause identity theft and other issues. Being named as Spidey Bot, the malware installs files presented as Discord-related data and kills the program at the beginning. Once restarted, specific modules and core files are changed, so the application can launch malicious processes on the machine and perform all the campaigns from the startup.
Data stolen by the malicious Discord version includes sensitive details
Once the specific information is recorded, it is sent to the hacker via the Discord webhook. The additional process gets executed at the same time, and the virus acting as a backdoor is launched. Other commands can be executed after the remote site connection is allowed. The attacker gets an ability to perform numerous malicious activities like stealing payment information, executing programs on the system directly, or installing malware further on the device.
The malware is targeting a variety of data that can be obtained from the chatting platform itself:
- details about the Discord version used;
- the browser user agent;
- first 50 characters out of the victims' Windows clipboard;
- zoom factor;
- stored payment information;
- email address;
- phone number;
- a public IP address;
- a local IP address;
- screen resolution;
- Discord user token.
Data that can be accessed and stored is pretty valuable, especially usernames and clipboard content. After sensitive details like passwords or personal information are copied, hackers may continue their attacks, e.g. steal money directly from the victim's account, send blackmailing emails, etc.
Another danger – malware in Discord messages
Even in-depth analysis cannot confirm that Spidey Bot virus has been delivered by using one distinct method, it is suggested that attackers are using the messaging application itself to spread the malware. Unfortunately, it is not a good thing since users cannot know if the system was infected or not. To indicate this, the network sniffing, during which unusual API and webhook can be determined, is required.
Even if the installer is removed, modified Discord files might still remain on the system and continue to execute the malicious processes on the system with each reboot. Uninstalling and reinstalling the Discord app is the only way to clean the infection completely with all the modified files what is highly recommended if any suspicious activity is noticed.
This is not the first time when Discord is misused for malicious campaigns. Scamming techniques that target stolen credit card data, accounts with weak passwords and malicious apps pretending to be Discord have been misusing app's name for years. However, having in mind how has the popularity of this app increased, there is no surprise that it has been included in dozens of different fraudulent campaigns.