Malware turns Discord messenger into backdoor and forces to steal data

Information security specialist MalwareHunterTeam discovered the Spidey Bot malware, which turns Discord for Windows into a backdoor and a tool for spying and stealing information.

Since Discord is an Electron application, almost all of its functionality is based on HTML, CSS and JavaScript, which allows attackers to modify key files and force the client to engage in malicious activity.

“Saying “Discord malware”, I mean a malware that is will work from inside the installed Discord client (writes .js files in the Discord AppData folder, which will be loaded by Discord client)”, — writes @malwrhunterteam.

During installation, Spidey Bot adds malicious JavaScript to the% AppData%\Discord\[version]\modules\discord_modules\ index.js and %AppData%\Discord\[version]\modules\discord_desktop_core\index.js files. Then the malware will shut down Discord and restart the program for the changes to take effect.

Read also: Researchers found vulnerabilities in eRosary smart rosaries from Vatican developers

Once launched, malicious JavaScript will use various Discord API commands and JavaScript functions to collect user information, which will then be passed to the attacker through the Discord web hook. Among these data will be:

• Discord user token;
• victim’s time zone;
• screen resolution;
• local IP address;
• public IP address (WebRTC);
• User information, including username, email address, phone number, and so on;
• data on whether the victim stores payment information;
• browser user agent;
• Discord version
• the first 50 characters from the victim’s clipboard.

After transmitting this information to its operators, the malware will perform the fightdio()function, which acts as a backdoor. This function will be used to connect to a remote site and wait for additional commands.

This will allow an attacker to perform other malicious actions, including theft of payment information, executing commands on the victim’s machine, and installing other malware.

Another well-known information security expert, Vitaliy Kremez, also studied a new malware and reports that during the infection are used files with names such as Blueface Reward Claimer.exe and Synapse X.exe. Although the researcher is not completely sure how the Spidey Bot is distributed, he believes that attackers use the usual messages in Discord to spread the threat.

“Such attacks are dangerous because they do not show any external signs of compromise. Suspicious activity can only be detected by detecting strange API calls and web hooks. Even worse, defensive solutions so far are poorly detecting this malware”, – say analysts.

Therefore, according to VirusTotal, only 38 out of 68 antivirus products are able to spot Spidey Bot.