RAT Malware Operating via Discord Bot

Discord is a social platform where users can create servers to form communities and communicate in real-time, supporting voice, video, and text chat. While it initially gained popularity among gamers, it has now expanded into a space where groups with diverse interests gather to communicate.

A Discord Bot is a program that automatically performs specific tasks on user-created servers, offering various features such as server management, automated message responses, game facilitation, music playback, and notification delivery, making server operation easier. These bots are mainly implemented using languages like Python and JavaScript, and they interact with servers through the Discord API.

This post analyzes a case (PySilon) where RAT malware was implemented using a Discord Bot. The full source code of this RAT malware is publicly available on GitHub, and there are communities on platforms like its website and Telegram servers.

 

Figure 1. RAT malware builder program

The Builder supports customization by allowing users to specify information such as the Server ID and bot token needed for developing a Discord Bot, as well as the registry path and name where it will be installed on the system. Afterward, the custom information is entered into the pre-implemented Python code, and it is converted into an executable file (.exe) using PyInstaller.

 

Figure 2. Process of building customized RAT malware

When the executable file created in this way is run on a user’s PC, a new channel is created on the server made by the threat actor. The IP address and other system information are initially sent to the threat actor via chat, as shown in the image below.

A new channel is created for each PC infected by the bot, allowing the threat actor to control each infected PC individually.

 

Figure 3. System information sent by the initially installed bot to the threat actor

Figure 4. Maintaining persistence

When the built RAT malware is executed on the system, it self-replicates and is created in the user folder to maintain persistence (see Figure 4) and adds itself to the RUN key using the registry. This way, the malware continues to execute and resides in the system every time the PC starts. The threat actor can also customize and create the name of the folder used for self-replication.

Additionally, there is anti-VM logic that uses the names of files or processes present in the VM to implement its functions. The malware is set to recognize a virtual environment and not operate within it before performing its functions.

 

Figure 5. Available commands

Afterward, the threat actor can input the commands listed in Figure 5 into the chat of the created channel to perform additional malicious behaviiors. 

Below are the main actions of the malware viewed from the threat actor’s perspective.

 

• Collecting information

Figure 6. Collecting information

The Grab command can be used to collect information from the system where the RAT malware is installed.

It collects the user’s personal information, including payment information, as well as browsing history and cookie information from the installed browser paths, and extracts various passwords to send to the threat actor.

Collectible information: Discord token, Nitro, MFA, email, phone number, password, cookie information, web page browsing history, etc.

 

• Screen recording and audio recording

Figure 7. Screen and audio recording files sent to the threat actor

It supports screen and audio recording in the infected PC using Python modules such as pyautogui, numpy, imageio, and sounddevice. 

 

• Keylogging

Figure 8. Keylogging

It transmits the input content to the threat actor’s server when the user presses “Enter”.

 

• Folder encryption

Figure 9. Encryption/decryption commands

Figure 10. Key file created in user folder

It can encrypt files within a folder on the infected PC. It was found that the Fernet algorithm is used, and the key file necessary for decryption is stored in the user folder.

The encrypted files have a .pysilon extension, and no ransom note is created.

In addition to the aforementioned functions, it can manipulate the hosts file to create and manage a blacklist/whitelist of websites, upload/download files, execute cmd commands, start/terminate processes, and even use Windows native functions to trigger the blue screen of death (BSOD).

 

Open-source projects that implement malicious RAT functions using Discord, like PySilon, are continuing to be created. Since the source code is publicly available, threat actors can easily incorporate it into their bots and disguise them as useful tools. Additionally, because data is transmitted using official Discord servers implemented for normal bot functions, it is very difficult for users to realize that the malware is installed. Therefore, it is important to exercise caution when installing bots or programs from untrusted sources.