“Saying “Discord malware”, I mean a malware that is will work from inside the installed Discord client (writes .js files in the Discord AppData folder, which will be loaded by Discord client)”, — writes @malwrhunterteam.
- Discord user token;
- victim’s time zone;
- screen resolution;
- local IP address;
- public IP address (WebRTC);
- User information, including username, email address, phone number, and so on;
- data on whether the victim stores payment information;
- browser user agent;
- Discord version
- the first 50 characters from the victim’s clipboard.
After transmitting this information to its operators, the malware will perform the fightdio()function, which acts as a backdoor. This function will be used to connect to a remote site and wait for additional commands.
This will allow an attacker to perform other malicious actions, including theft of payment information, executing commands on the victim’s machine, and installing other malware.
Another well-known information security expert, Vitaliy Kremez, also studied a new malware and reports that during the infection are used files with names such as Blueface Reward Claimer.exe and Synapse X.exe. Although the researcher is not completely sure how the Spidey Bot is distributed, he believes that attackers use the usual messages in Discord to spread the threat.
“Such attacks are dangerous because they do not show any external signs of compromise. Suspicious activity can only be detected by detecting strange API calls and web hooks. Even worse, defensive solutions so far are poorly detecting this malware”, – say analysts.
Therefore, according to VirusTotal, only 38 out of 68 antivirus products are able to spot Spidey Bot.
Discord is a free instant messenger with support for VoIP and video conferencing, initially aimed at users of computer games.