Malware turns Discord client into password stealer
New variant of the AnarchyGrabber trojan can steal plain text passwords
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Hackers have updated the AnarchyGrabber trojan to a new version which is capable of stealing passwords and user tokens, disabling 2FA and spreading malware to a victim’s friends as well.
This is the second update the trojan has received this year as it was also updated back in April tomodify Discord client filesin order to evade detection byantivirus softwareand steal user accounts every time someone logs into the popular chat service.
AnarchyGrabber is distributed for free on hacking forums and inYouTubevideos and the trojan is used by cybercriminals onDiscordwho claim it is a game cheat, hacking tool or copyrighted software. Instead it modifies the Discord client’s JavaScript files to turn it into malware that can steal a victim’s Discord user token which is then used by an attacker to log into the popular chat service as the victim.
Hackers have now released a modified version of the AnarchyGrabber trojan with updated and more powerful features.
AnarchyGrabber3
AnarchyGrabber3 is a new variant of the popularmalwarewhich can steal a victim’s plain text passwords and even command an infected client to spread malware to a victim’s Discord friends. Since the attackers are now stealing plain text passwords, they can also use them incredential stuffing attacksin order to compromise a victim’s other online accounts as well.
When installed, AnarchyGrabber3 will modify the Discord client’s index.js file to load additional JavaScript files including a custom inject.js from a 4n4rchy folder as well a malicious file called discordmod.js. The malicious scrips will then log the user out of Discord and ask them to log in again.
When a victim logs in, the modified Discord client will try to disable2FAon their account. The client then uses a Discord webhook to send the user’s email address, login name, user token, plain text password and IP address to a Discord channel controlled by the attacker. The modified client will also listen for commands sent by the attacker once the victim is logged in. One of these commands can even be used to send a message to all of the victim’s friends that contains malware the attackers want to spread.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
This trojan is particularly dangerous because it makes it hard for average users to know they’re infected as the AnarchyGrabber3 executable does not stay on a user’s system or run again after it has modified the Discord client files.
Thankfully, it is quite easy to see if your system has been infected with AnarchyGrabber3. Simply open Discord’s index.js file in %AppData%\Discord[version]\modules\discord_desktop_core with Notepad and look for a single line of code that looks like this: “module.exports = require('./core.asar')”. If your client contains no other code, then it likely hasn’t been infected with the trojan.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Windows PCs targeted by new malware hitting a vulnerable driver
Dangerous Android banking malware looks to trick victims with fake money transfers
Black Friday sale preview at Walmart – the best deals I’d buy starting at just $10