The ASEC analysis team recently found an info-stealing malware that is being distributed via Discord messenger. The malware which is spread through Discord uses the Discord API to send the stolen information to the attacker. FYI, the Discord type method was introduced in the ASEC blog before.
The Discord server which distributes malware sells and distributes illegal pornographies. The creator of malware who is also the administrator of the server uploads a compressed file in the server’s ‘Free Porn’ channel and prompts users to run the file.
The run.exe executable file can be checked upon decompressing the run_2.zip file. This is the actual malware developed with .NET. The malware checks the current time. If it is run after June 21st, 2021 9:29:57 P.M., it creates an exception and is terminated. If it is run before that time, it performs malicious behaviors.
After initially running the normal process regasm.exe, it decodes and injects the encoded malware it had within. Usually, the types of malware distributed in Korea are mostly RAT malware such as njRAT, but the attacker is exploiting a utility program from NirSoft called WebBrowserPassView that is used to steal web browser account information.
In its basic form, WebBrowserPassView is a GUI program. However, if /stext and the path are sent as an argument when the program is run, it can operate with command lines in a way that is hard for users to recognize. So if the “/stext data.dll” argument is given as shown below, it’s a command to steal the account information of the web browsers in the current system without the user realizing it and create the result text file in the same directory.
The malware then steals the user’s Discord Token. To do so, it reads files ending in .ldb or .log in folder directories shown below to find Token keywords.
\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
\AppData\Local\Naver\Naver Whale\User Data\Default\Local Storage\leveldb
\AppData\Roaming\Opera Software\Opera Stable\Local Storage\leveldb
\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
\AppData\Local\Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb
The obtained Token along with the current system’s user name is sent to the attacker through the Discord WebHook API. Using the WebHook API allows the malware to send the data and notification to the attacker’s Discord server. So when a POST request is made along with the information to the URL shown below, the attacker can receive a notification and the stolen information. The URL used, which is the attacker’s WebHooks ID and Token, is as follows.
After sending the Discord Token of the infected user, the malware sends the previously obtained stolen web browser account information, the data.dll file. The information is sent in the file format containing the user name, IP address, OS information, number of CPU cores, and the name of the PC.
After sending all of the stolen information, the malware deletes the data.dll file containing the web browser account information and terminates itself.
The attacker is distributing info-stealing malware disguised as free porn in a Discord server sharing illegal pornographies. The distributed malware also exploits Discord to send the stolen information to the attacker. Users must be aware of the fact that an act of sharing illegal videos equals violation of law, and they must not download files from unknown sources. Also, V3 should be updated to the latest version so that malware infection can be prevented.
– Trojan/Win.Generic.C4518741 (2021.06.08.03)
– Info-stealing malware: 982c55aed3a44155f3c6830fb57b02fa
– WebBrowserPassView: 053778713819beab3df309df472787cd
– Discord WebHooks API: hxxps://discordapp[.]com/api/webhooks/850992968948121641/vOIDbofeitMYkhskGBRl_N-wZTkqd5Pep2MapAwzZ6g4gAKxXMvYt4HzGSQXruBWq_-x