Discord Token Stealer

[SeriousHoax 80]

Discord Token Stealer that seems to be not detected by ESET:

One of the site that is spreading the malware which should be blocked: 

hxxps://movesoul.yaziciali.repl.co

I don't have access to the malware files. Here are their Virustotal links:

https://www.virustotal.com/gui/file/0353bea6c80a4da37a7f66f05343a0699541ee32b5985425b854b63b32f8ceaf/detection

https://www.virustotal.com/gui/file/fdf4535c0d53b8af070203e190ce950b34d7b51a697f7e917b133705bfd2afe3/detection

@MarcosPlease have a look at this. Also, does sending Virustotal links to ESET via email works? I sent a couple of other samples yesterday but no reply/detection for them yet. 

[Peter Randziak 1,014]

Hello @SeriousHoax,

I'm checking it with the lab.
For sure it's much better to submit the report with the samples included, as those are being automatically processed.
Grabbing hashes from a text and looking for those samples is a manual work...

Peter

[SeriousHoax 80]

3 hours ago, Peter Randziak said:

Hello @SeriousHoax,

I'm checking it with the lab.
For sure it's much better to submit the report with the samples included, as those are being automatically processed.
Grabbing hashes from a text and looking for those samples is a manual work...

Peter

Hello, @Peter Randziak

Thank you for replying and trying to help by getting in touch with the lab.

With due respect, isn't manual work the job of a human analyst? Not all samples can be detected by an automated process, so human analysis is needed for many samples. I often find virustotal links of malware that I don't have access to. For example, the above ones I found on Discord. The malware available on the shared site is password protected. So I could only share the VT links not the files itself. Sorry about that. I often submit samples to other vendors also, who are okay with analyzing malware from my submitted Virustotal links. 

Anyway, looks like the link and the samples are not detected yet.

Thanks. 

[itman 1,595]

Here's the deal with this web site.

I scanned it at Quttera and it came back clean: https://quttera.com/detailed_report/movesoul.yaziciali.repl.co .

However, there is an external link on the site to a Discord .rar file: https://cdn.discordapp.com/attachments/1114580031293890641/1122510525381738518/move_soul.rar . Looks like Quttera scanned the .rar in its sandbox and didn't find anything malicious. It would think if an .exe was dropped from this .rar, Quttera would have noted this.

Since only Dr. Web and Kaspersky are detecting the .exe, it could be that only Russia based users are being targeted?

Edited June 27 by itman

[SeriousHoax 80]

20 minutes ago, itman said:

Looks like Quttera scanned the .rar in its sandbox and didn't find anything malicious. It would think if an .exe was dropped from this .rar, Quttera would have noted this.

This is because the rar is password protected. I don't know the password, that's why I submitted the Virustotal link instead. 

21 minutes ago, itman said:

Since only Dr. Web and Kaspersky are detecting the .exe, it could be that only Russia based users are being targeted?

 No, one guy that I saw who got infected by it wasn't Russian. Dr.Web was already detecting it and Kaspersky detects as it was analyzed in their publicly available Opentip sandbox where a heuristic detection picked it up after dynamic analysis. The infected user submitted it to Opentip. 

https://opentip.kaspersky.com/0353bea6c80a4da37a7f66f05343a0699541ee32b5985425b854b63b32f8ceaf/results?tab=lookup

[itman 1,595]

Just now, SeriousHoax said:

This is because the rar is password protected.

Well, Quttera was able to bypass the password protection. The sandbox analysis show it scanned a couple of .png files from the .rar file.

[SeriousHoax 80]

1 hour ago, itman said:

Well, Quttera was able to bypass the password protection. The sandbox analysis show it scanned a couple of .png files from the .rar file.

Oh saw it but those doesn't look like from the rar. It's just some Discord icons or something from the discord link itself. Rar file wasn't extracted. Anyway, it's a real malware and the link should be blocked as well to block distribution of the sample at the earliest stage. Bitdefender blacklisted the site within an hour of my submission.

[itman 1,595]

Scanned the .rar at Hybrid-Analysis: https://www.hybrid-analysis.com/sample/09158e8ddca7abcdf7379aeb7da7ece4e9fbf99b2a98e19511b723a7859bedb0 .

It found one malicious file; mini-wallet.html SHA256=df47aac0fa71fbcecc16685ad4024965491e601880daf1fefa3735e769df661b . Of note is this file has zero detection's at VT.

Overall verdict was Suspicious with suspicious files detected being JavaScripts.

Edited June 27 by itman

[SeriousHoax 80]

40 minutes ago, itman said:

Scanned the .rar at Hybrid-Analysis: https://www.hybrid-analysis.com/sample/09158e8ddca7abcdf7379aeb7da7ece4e9fbf99b2a98e19511b723a7859bedb0 .

It found one malicious file; mini-wallet.html SHA256=df47aac0fa71fbcecc16685ad4024965491e601880daf1fefa3735e769df661b . Of note is this file has zero detection's at VT.

Overall verdict was Suspicious with suspicious files detected being JavaScripts.

Those are not related to the malware. If you check the screenshots of the analysis, you'll see that it couldn't even download the rar file. It couldn't connect. The files that you see like "mini-wallet.html" are files of Microsoft Edge. I checked on my system. All the files there are from MS Edge. 

[itman 1,595]

To get this in proper perspective, only two AV vendors, BitDefender and G-Data, are currently flagging  hxxps://movesoul.yaziciali.repl.co as malicious: https://www.virustotal.com/gui/url/6221168d086a8abf3a4018bc39c8e04d5aa44506797018fb1e690cff399e332c?nocache=1 . Whereas, 12 AV vendors are currently flagging Move_Soul.exe as malicious: https://www.virustotal.com/gui/file/0353bea6c80a4da37a7f66f05343a0699541ee32b5985425b854b63b32f8ceaf/detection .

Therefore, insufficient evidence exits at this time that the web site is the source of this malware.

 

[SeriousHoax 80]

49 minutes ago, itman said:

To get this in proper perspective, only two AV vendors, BitDefender and G-Data, are currently flagging  hxxps://movesoul.yaziciali.repl.co as malicious: https://www.virustotal.com/gui/url/6221168d086a8abf3a4018bc39c8e04d5aa44506797018fb1e690cff399e332c?nocache=1 . Whereas, 12 AV vendors are currently flagging Move_Soul.exe as malicious: https://www.virustotal.com/gui/file/0353bea6c80a4da37a7f66f05343a0699541ee32b5985425b854b63b32f8ceaf/detection .

That’s because I submitted the site to Bitdefender with the explanation and also one of the samples. I willingly sent only one sample to observe something and my mission was successful. All the rest detections started to appear after Bitdefender's detection, while the other one remains with 2 detections. The site is also blocked by Norton. Their automated analysis blocked it instantly after my submission. It was already categorized as Suspicious, but for whatever reason, my submission triggered the change of reputation to Malicious source, which I suggested. Maybe a Norton user downloaded the file from that site before. BTW, G-Data not only use BD's signature but also their web-filtering SDK. At least they use the blacklist feed. That's why BD's blockage also made G-Data to block it.

49 minutes ago, itman said:

Therefore, insufficient evidence exits at this time that the web site is the source of this malware.

I have the evidence. The victim himself told that his Discord tokens were stolen by a malware. When asked where did he find it, he shared the site link and also was told to submit the sample to VT and Opentip. Which he did and this is the result. I have the zip file on my PC, just don't know the password. The victim guy was banned for some other reasons not long after, so couldn't ask for the password in time. This type of Discord scam of check out my game is very common. The chance of automated analysis not picking up the site is the most obvious thing, since it's not hosting the malware itself. Just a link to a legit Discord domain to a password-protected archive. 

Edited June 27 by SeriousHoax

[SeriousHoax 80]

Here, just got a reply from Kaspersky. They have now blocked the site as well.

[itman 1,595]

1 hour ago, SeriousHoax said:

The victim himself told that his Discord tokens were stolen by a malware. When asked where did he find it, he shared the site link

Looks like 'You're right on the money" on this one. Attack example below;

Quote

The depiction in Figure 2 illustrates the following steps

• The delivery of TroubleGrabber to the victim’s machine via Discord attachment link.
• TroubleGrabber using Discord and Github for downloading the next stage payloads to the victim’s machine. 
• The payloads steal victims credentials like system information, IP address, web browser passwords, and tokens. It then sends them as a chat message back to the attacker via a webhook URL.

TroubleGrabber analysis

The sample we are using for this analysis was hosted in the Discord URL –  https://cdn[.]discordapp[.]com/attachments/770854312020410388/770854941614014504/Discord_Nitro_Generator_and_Checker.rar (md5 – 172c6141eaa2a9b09827d149cb3b05ca). The downloaded archive “Discord_Nitro_Generator_and_Checker.rar” masqueraded as a Discord Nitro Generator application. The archive contained an executable file named “Discord Nitro Generator and Checker.exe”. An excerpt from the decompiled code is shown in Figure 3.

https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord

Guess we should have explored the link to Discord attachments .rar more throughly initially.

Edited June 27 by itman

[Peter Randziak 1,014]

Hello guys,

the lab processed the samples and as of now, they are subject of detection so thank you for the submission.

16 hours ago, SeriousHoax said:

With due respect, isn't manual work the job of a human analyst? Not all samples can be detected by an automated process, so human analysis is needed for many samples.

well yes it is, but with the amount of samples / submissions is really huge so the analysis have to pick which to process...

Peter

[itman 1,595]

This attack is a great example of why a HIPS rule is needed to monitor process execution from the User temp directory where the malware payload, Move_Soul.exe, ran from as shown in below VT behavior screen shot:

Also note the creation of elevate.exe in the directory most likely used for privilege escalation.

Finally, one needs to perform due diligence in regards to the safety of the apps they are using. Discord has to rank near the top in regards to hacked apps.

[SeriousHoax 80]

8 hours ago, Peter Randziak said:

Hello guys,

the lab processed the samples and as of now, they are subject of detection so thank you for the submission.

Thanks for your help. 

8 hours ago, Peter Randziak said:

well yes it is, but with the amount of samples / submissions is really huge so the analysis have to pick which to process...

I understand. I may try another method that I thought of to increase the chance of ESET analysts analyzing my submitted sample even if it's just Virustotal links. 

If that doesn't work, then I can always share the sample's VT link here like this post of mine. 

Cheers. 

[SeriousHoax 80]

2 hours ago, itman said:

Finally, one needs to perform due diligence in regards to the safety of the apps they are using. Discord has to rank near the top in regards to hacked apps.

The app itself is not hacked. It's just that a lot of scam/malicious things are shared on some channels. People who fall for these are mostly unaware teenagers. Telegram is abused a lot too. I browse Discord on my browser only, mainly to see if I can find any new malware like the one I shared here.

[itman 1,595]

FYI - @SeriousHoax.

Eset still not blocking https://movesoul.yaziciali.repl.co/ web site: https://www.virustotal.com/gui/url/6221168d086a8abf3a4018bc39c8e04d5aa44506797018fb1e690cff399e332c?nocache=1 .

[SeriousHoax 80]

1 hour ago, itman said:

FYI - @SeriousHoax.

Eset still not blocking https://movesoul.yaziciali.repl.co/ web site: https://www.virustotal.com/gui/url/6221168d086a8abf3a4018bc39c8e04d5aa44506797018fb1e690cff399e332c?nocache=1 .

Yeah, saw that. I can still visit the site. Who knows why! There's no reason to not block it 🙄

Edited June 28 by SeriousHoax

[itman 1,595]

I found this posting over at MalwareBytes forum with the same attack method, password protected Discord based .rar file. The difference being poster was sent the file from another infected clueless source;

Quote

Hello,

So yesterday my discord and protonmail got hacked by a password encrypted .rar file another hacked friend said was a game. While an obvious scam it was that I fell for, I don't know why malwarebytes scanners haven't picked up on its code yet. I still have it in case if it needs to be analyzed, but I'd like to know if anyone could dissect it to see if it's a rootkit, keylogger, or how it works and to add it to MWB's list for future detections so people don't fall for it.

https://forums.malwarebytes.com/topic/295848-resolved-lazzarusrar-not-detected-by-virus-scanners/

The lesson to be learned here is to be extremely suspicious of password protected archives especially Discord based .rar ones.

Edited June 28 by itman

[Nightowl 197]

The thing is here in that quote , that the victim fell to a supposed to be game inside a RAR file that is shared through Discord that is passworded , which sounds so not real, what kind of game did fit inside a RAR file to be able to be sent through Discord,  Jazz Jackrabbit 2 , nevermind but NEVER accept files from Discord especially unknown users.

Apart from Images and Stickers that are sent in convesation , better not to accept anything from Discord especially if it was a stranger.

From Discord page:

Those settings can help also

 

Quote

 

Be wary of suspicious links and files

• DON'T click on links that look suspicious or appear to have been shortened or altered. Discord will try and warn you about links that are questionable, but it’s no substitute for thinking before you click.
• DON'T download files or applications from users you don't know or trust. Were you expecting a file from someone? If not, don’t click the file!
• DON'T open a file that your browser or computer has flagged as potentially malicious without knowing it’s safe.

https://discord.com/safety/360043857751-four-steps-to-a-super-safe-account

Edited July 2 by Nightowl