Exploring Discord Malware

If you have been on Discord for a long enough time, there is a good chance that you have come across one of the following attack campaigns:

"[Insert adult advertisement here]"
"I accidentally reported your steam account"
"Game giveaway, just sign into your steam account for free skins and such" (This one is professionally done by Russians. ).
"Hey, I'm making this cool new game, could you help test it for me?"

In 2020 or so I had also found out about these campaigns and investigated them. The conclusion was that (with the exception of the "I reported your steam account") the threat actors utilized Discord as their main CDN, making the takedown of the campaign quite trivial. The front facing website was made using replit too - I literally cloned the website and had its source code. Not only that but it didn't even have a custom domain, talk about an epic fail. Anyways, if an unsuspecting user did manage to download and run the "Game" from their mega suspicious website, they would quickly have their data stolen via the latest and greatest info-stealer, which would exfiltrate all the saved credit-cards, discord tokens, and passwords from your browser.

Unfortunately for our script kiddies running this operation, I had reported their operations to Replit, Discord and Google. Not only this, but I also made a bunch of bogus data for their malware to steal, so I would like to think that they had fun failing at using my fake data.

Not too long ago (2024), a friend who I will hereby name as "Gigachad" had notified me that his friend succumbed to the "I'm making a game" campaign, and forwarded the information to me. It looks like the script kiddies from 2020 have learned a thing or two about their previous antics. Let's begin our deep dive.

Recon

Right away we are greeted with the slickly designed website used to trick the unsuspecting Discord users into downloading the newest game which their compromised friend has recommended.

As I am writing this, my IP got blacklisted seemingly in response to my web-scanning. Remember this, my meowmix enthusiasts, always use a VPN.

As you can tell, the website looks polished like last time, but it seems that there is more game-play footage of what looks to stuff that's ripped from the Kingdom Rush franchise. The NFT profile pictures on the "active team members" should be enough to deter anyone from hitting the download button. Anyways, lets probe a bit deeper into the web-infrastructure.

To no one's surprise, the SSL is done with Let's Encrypt. To be honest, just having the Let's Encrypt SSL should be enough to lower a website's rep-score. If there is one thing I have learned is that low-level threat actors hate paying money.

As well as this, it seems the scripties are still using Discord to host the bulk of their images and media, even though Discord had previously emplaced countermeasures to combat this abuse previously.

Anyways, information aside we really want to know who to yap to in order to have this website taken offline.

A quick search with some WHOIS tools reveals that the registrar is done with godaddy. Not my personal choice of registrar (certainly not for cybercrime) but whatever gets the job done I guess.

The next step is to find out who the webhost is. This is usually a bit of a pain in the ass but thankfully the evil kitties hosting this site made a blunder which one of my tools had caught. It looks like the threat actors have switched to using Vercel as their hosting provider.

Analysis

The download drops a 79.1MB rar payload hosted by Discord CDN (not for long lol). This file size is surprising considering that it is a common practice for threat actors to inflate file sizes in order to evade AV scans. Anyways, the initial compressed RAR file evades all detections on VT.

Unfortunately for me, the file was encrypted and I was without the password. However, let it be known that the power of john the ripper combined with a good GPU rig is no match for a weakly protected rar file. After sitting around for a couple of SECONDS, the four character password was cracked.

WOW Only 3 detections on VT!!! Surely something is amiss... AV scanning an .exe alone is not enough to provide a comprehensive security suite. Heuristic and network inspection are critical components of a good AV in modern times.

Anyways, looking into the file on VT, we notice that the exe doesn't actually seem to do too much. VT doesn't take note of any network connections which is quite interesting. Looking into the VT graph we see a 7zip file which appears to be the bulk of the executable's size. Interesting...

If we look into this suspicious 7zip file, we find a file named "app-64.7z", which looks to contain an interesting application.

This suspiciously looks like an electron app. If you have done any web-development you will have surely heard about electron JS. Putting the installer.exe into VirusTotal once again shows zero detections, but if we look at related files we can see that there appears to be what looks like game related zip files which have been submitted within the last two months.

Anyways, the lack of AV trigger behavior is indicative of the exe being legit, so there is probably a malicious dependency being loaded into the executable somewhere. Looking into the resources folder reveals an asar file. I guess this is basically like a zip file for JS things. If there is one language we see being used by scammers over and over again, it is JS. When we unpack the JS code we get a bunch of obfuscated JS.

Debugging this obfuscated code also raises a bunch of exceptions. This is probably because of debug protection from obfuscate.io or whatever. Anyways, I don't have time to remove the debug protections, so it is off to Dynamic Analysis land we go.

A bit after running the executable, we see a bunch of DNS requests being made to the duvetscute[.]lol domain.

After going to it, we naturally find it to be cloudflare protected. I guess that's a wrap on this one.

So I reported my findings to the proper people and though I would close the chapter on this piece of malware.

... But then duvetscute went down and a new iteration of the malware appeared on the website.

Part 2!?!?

The very next day, the duvetscute[.]lol webpage had disappeared off of the internet. How strange... The Mayhemers website was still running but I noticed that the download link had changed, as well as the file name. I downloaded the newer piece of malware, put it into the malware lab and found a connectback attempt to a new domain.

After unpacking the asar file again, I found some new malware code!

In my last semester, I had taken cryptography class, so I immediately realized that we have all the ingredients needed to decrypt whatever the heck this garbled stuff is. But I chose to just take the lazy route and run the code in the debugger and dump the output.

Cool! We now have the source code! That's AWESOME!

Queue the Bee Movie Script!

Jokes aside, this piece of JS malware is pretty cool to look through. Bellow is a list of it's functions:

checkVm
getDiscordTokens
newInjection
tokenRequest
checkToken
stealFirefoxTokens
discordInjection
browserCookies
getBrowserCookies
getFirefoxCookies
browserPasswords
browserAutofills
getBrowserAutofills
getBrowserPasswords
getBrowserWallets
allBrowserData
- Includes data referring to chrome, msedge, brave, firefox, opera, kometa, orbitum, centbrowser, 7star, sputnik, vivaldi, epicprivacybrowser, uran, yandex and iridium.
fakeError
kill
getSteamFiles
checkCmdInstallation

Conclusion.

So what can we do at this point? Well, really, nothing much. I'm probably going to post the source code somewhere on the internet. Cloudflare doesn't respond to malware/piracy abuse complaints, so all we can do is submit our findings to the relevant organizations (and spam the collection endpoint with the bee movie). Here's a list of authorities to report your malicious domain findings to:

Report to Cisco Talos: https://talosintelligence.com/
Report to Spamhaus: https://submit.spamhaus.org/
Report to Google: https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en
Downvote on Virustotal: https://www.virustotal.com/gui/home/search
Report on abuse.ch: https://urlhaus.abuse.ch/
[Insert CSOC's Platform Here].

And for the corresponding hosting providers, you can just send a message to their abuse email.

JS seems to be the script kid's language of choice in today's age, which is unsurprising considering that it is the language of the devil.

That's all for today my skittens. Remember to like, share and subscribe, with the notification bell on, and click the link in the description bellow to get 420% off a meowmix subscription with the code scr1p+Kitt13z.

Google Sites

Report abuse