Discord now playing with gamers by turning into an info-stealing malware backdoor

Discord is one of the most popular social media platform which is used by gamers for all-in-one voice and text chat for.

Discord works both on phone as well as PCs. Gamers can stream their gameplay videos and chat with other gamers for tips and references they need. Being free and user-friendly are the features that made discord popular among the people interested in gaming. A recent research has now discovered that a new malware is targeting Discord users by modifying the Windows Discord client. Windows Discord client is an electron application and uses almost all functionalities derived from HTML, CSS and JavaScript.

Using such functionalities allows the modification of core files so that malicious activities can be executed upon startup. After installing the malware will add it’s own malicious JavaScript to the “%AppData%\Discord\[version]\modules\discord_modules\index.js” and “%AppData%\Discord\[version]\modules\discord_desktop_core\index.js” files. This malware restarts the Discord application in order to run the new JavaScript changes. JavaScript runs various Discord API commands and JavaScript functions to collect a variety of information about the user. This information is then sent using Discord webhook to the attacker.

The information collected and sent to the attacker includes Discord user token, victim timezone, victim’s local IP address, victim’s public IP address via WebRTC, user information such as username, email, phone number and more. All this information could allow the user to steal passwords, personal information or any other personal and sensitive data copied by the user. Discord malware then executes the fightdio() function which will then act like the backdoor. This function connects to a remote site to receive extra commands. These commands then allow the attacker to perform malicious activity such as stealing payment information, executing commands, or potentially installing further malware.

Discord however has certain methods of alarming it’s users about the malware threats. Update 10/24/19 added sections on checking specified JS files for modifications and how Discord can monitor these modifications. Update 10/24/19 added information about the C2 being dead, the name of this infection may be BlueFace and the malware has been discontinued.

Use NPAV and stay protected from all malware attacks.

Sharing is caring!

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *