Bitcoin Forum
July 25, 2021, 06:26:48 AM *
News: Latest Bitcoin Core release: 0.21.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: PM links in Discord Deskt. client can steal your Password ,Cryptocurrencies !  (Read 355 times)
Lafu
Legendary
*
Offline Offline

Activity: 1946
Merit: 1799



View Profile
June 17, 2020, 11:11:30 PM
Last edit: June 18, 2020, 08:13:42 PM by Lafu
Merited by LoyceV (6), o_e_l_e_o (2), DdmrDdmr (2), JayJuanGee (1), MoparMiningLLC (1)
 #1

As i hunting now over an year posted Malware and Suspicious Links here on the Forum and on Discord i wanted to share a Article i found .
Because i guess a lot of Users are using Discord also and they should be knowing that and also how you can remove the Malware when your pc is infected.



AnarchyGrabber is a popular trojan that is commonly spread for free on hacker forums and within YouTube videos that explain how to steal Discord user tokens.
Threat actors then distribute the trojan on Discord, where they pretend it's a game cheat, hacking tool, update for a Wallet or copyrighted software.

This is AnarchyGrabber3, a highly infectious Trojan that steals passwords from Discord profiles,
disables 2FA and in turn spreads (like a Trojan) through direct messages to the friends list with flashy offers (free paid games, free premium software or even free cryptocurrencies).
This Trojan attacks users with the desktop version of Discord.

Once the Trojan enters the victim's system, it overwrites the JavaScript file index.js in the Discord client's path and automatically calls the attacker's machine,
which can log in to your account and remove all the coins.

How to know if you are infected with the AnarchyGrabber3 Trojan?

You have go to the path of your hard disk containing the Discord client.
In almost all cases (for Windows users) it is C:\Users\Your_user\AppData\Roaming\Discord\version\modules\discord_desktop_core.
being there, open with an Editor the file index.js



Check that your file looks like the following picture.
If there are any extra lines of text, your Discord client has probably been compromised by this trojan.



Is there a other Modified Discord client JavaScript file in there .
This file will then load another malicious javascript file called discordmod.js into the client.



The malicious scripts will then log the user out of the Discord client and prompt them to log in.

Once a victim logs in, the modified Discord client will attempt to disable 2FA on their account.
The client then uses a Discord webhook to send the user's email address, login name, user token, plain text password, and IP address to a Discord channel under the attacker's control.

After the AnarchyGrabber3 executable is run and modifies the Discord client files, it does not stay resident or run again.
Therefore, there is no malicious process for antivirus software to detect, the infected user will continue to be part of the botnet whenever they connect to Discord.

So if there is another line written, besides that " module.exports = require('./core.asar'); ", quickly disable your internet internet connection,
then go to Control Panel - Add or Remove Programs and uninstall Discord completely.
You should be make some scans with diffrent Antivirus and Malware detecing Software to clean your PC.
After that you can install Discord again or my personal suggestion use the Browser version for Discord.

How you can be get Infected

For example :

You are in a Discord Server Channel from a Project .
One of the Users in channel get infected or the Hacker itself is in there , they sending to every User or randomly a PM to you on Discord .
You dont get a pm directly from the infected User normaly , but can be happend too.
Mostly the User you get the PM has the name like the Project has , lets call it Wallet update Bot or something similar.


Source : PM from my Discord

In this pm they say you have to update your wallet or your Account or whatever and click the Link .
If you click the link and download it or install there files thats where the magic happens.

You can avoid this if you just delete the PM you have got and dont click or download anything you dont know.
All projects dont PM you with updates and they just write there updates in there one Project Channel.
You dont get infected when you receive the PM





Article , Images and Sources used for this thread are from:

https://www.publish0x.com/cryptalk/new-ransomware-attacks-your-discord-account-and-extracts-you-xqokole
https://www.bleepingcomputer.com/news/security/discord-client-turned-into-a-password-stealer-by-updated-malware/
https://cdn.publish0x.com/prod/fs/images/a804cbb676986e45c959f5060270ece10f484a70c83946c089b0c1bb2ebe58af.png
https://cdn.publish0x.com/prod/fs/images/355dbef9f3b5984df03cdb3979a9dc1def0556f205d7f07a138417adb8502e40.png
https://www.bleepstatic.com/images/news/malware/d/discord/anarchygrabber3/4n4rchy-folder.png
https://twitter.com/malwrhunterteam




▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄    ▄▄▄▄                  ▄▄▄   ▄▄▄▄▄        ▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄
 ▀████████████████▄  ████                 █████   ▀████▄    ▄████▀  ▄██████████████   ████████████▀  ▄█████████████▀  ▄█████████████▄
              ▀████  ████               ▄███▀███▄   ▀████▄▄████▀               ████   ████                ████                   ▀████
   ▄▄▄▄▄▄▄▄▄▄▄█████  ████              ████   ████    ▀██████▀      ██████████████▄   ████████████▀       ████       ▄▄▄▄▄▄▄▄▄▄▄▄████▀
   ██████████████▀   ████            ▄███▀     ▀███▄    ████        ████        ████  ████                ████       ██████████████▀
   ████              ████████████▀  ████   ██████████   ████        ████████████████  █████████████▀      ████       ████      ▀████▄
   ▀▀▀▀              ▀▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀        ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀        ▀▀▀▀       ▀▀▀▀        ▀▀▀▀▀

#1 CRYPTO CASINO & SPORTSBOOK
  WELCOME
BONUS
.INSTANT & FAST.
.TRANSACTION.....
.PROVABLY FAIR.
......& SECURE......
.24/7 CUSTOMER.
............SUPPORT.
BTC      |      ETH      |      LTC      |      XRP      |      XMR      |      BNB      |     more
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
MoparMiningLLC
aka Stryfe
Hero Member
*****
Online Online

Activity: 1050
Merit: 945


EIN: 82-3893490


View Profile WWW
June 17, 2020, 11:23:33 PM
 #2

thanks for the heads up

though my discord path stops at  C:\Users\Your_user\AppData\Roaming\Discord\

edit:

it was a hidden folder: and yes my index looks as it should.

 

Mine BTC @ kano.is Need some thing 3d printed? Need something laser cut? go here: moparmining.com
Offering escrow services https://bitcointalk.org/index.php?topic=5154480 leave me a message on Discord: https://discord.gg/7NaRKtb Telegram: @MoparMiningLLC
Get your own Ballet Wallet here! BalletCrypto.com use coupon code "MoparMiningLLC" for 5% off
chaser15
Legendary
*
Offline Offline

Activity: 1890
Merit: 1060


View Profile
June 18, 2020, 12:10:50 AM
 #3

This is AnarchyGrabber3, a highly infectious Trojan that steals passwords from Discord profiles,
disables 2FA and in turn spreads (like a Trojan) through direct messages to the friends list with flashy offers (free paid games, free premium software or even free cryptocurrencies).

Thanks, OP. This is alarming. People should really "think before they click". All these malware will not enter the system unless the user itself pulls the trigger for it.

If I'm not mistaken on Discord, people can't just send a message to anyone they like or randomly. That's why every user should use their common sense if they received something unusual to their friends (either via direct connection or in a group).

As stated, this malware will just affect the Desktop version. Based on my observation, Discord was highly used in mobile so it will lessen the risks but still, always take note of the safety measures like in any other applications we used.
alani123
Legendary
*
Offline Offline

Activity: 2156
Merit: 1239



View Profile
June 18, 2020, 01:09:48 AM
 #4

Can you share a little more detail on how this Trojan spreads? You said through discord but I think it'd be useful to also know if Discord's client has any vulnerabilities or perhaps if there are any suspicious behaviors that users should be aware of and avoid. Can it spread to a user unbeknownst to them for example or does it require some action/trickery?

█▀▀▀












▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
▄▄▄███████████▄▄▄
▄▄█▀▀▀█████████████▀▀▀█▄▄
▄█▀      ███████████      ▀█▄
▄██         ▀▀     ▀▀         ██▄
▄█████     ▄▄█         █▄▄     █████▄
███████▀  █▀▀ ▄▄▄█████▄▄▄ ▀▀█  ▀███████
███████     ▄█▀▀         ▀▀█▄     ███████
███████    ▄█▀               ▀█▄    ███████

BTCTCGOSU

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
▀▀▀█












▀▀▀▀
             █████▄▄
           █████▀   ▀▀▄
                ▄▄   ▄██▄
           ▀▀▀▀▀▄▄▀▄ ▀███▄
          ▄▄█▄█▄  █   ▀███▄
          ██▀▀▀██  █ ▀▀ █
          ██████▄  █     █
       █  ██▄▄▄██  █ ▄▄ █
        █ ▀▀█▀█▀  █   ▄███▀
       ▀▄▀▀▄▄▄▄▄▀▀▄▀ ▄███▀
         ▀▀     ▀▀   ▀██▀
     ▄▄   ▄█████▄   ▄▄▀
       ▀▀█████████▀▀
TryNinja
Legendary
*
Offline Offline

Activity: 1806
Merit: 3406


Merit & Notifications bot: @BTTSuperNotifier_bot


View Profile WWW
June 18, 2020, 02:27:58 AM
Merited by Lafu (1), DdmrDdmr (1)
 #5

You should fix your title. This is a malware, totally unrelated to Discord, that attacks your computer and uses Discord as a disguise to steal your stuff. It could use Skype, Office or even Chrome. "Discord Desktop client" does NOT steal your password and cryptocurrencies, which is what your title says. The third-party malware (that doesn't appear through Discord) does that.

Little Mouse
Sr. Member
****
Offline Offline

Activity: 1022
Merit: 475


View Profile
June 18, 2020, 02:28:29 AM
 #6

Can you share a little more detail on how this Trojan spreads? You said through discord but I think it'd be useful to also know if Discord's client has any vulnerabilities or perhaps if there are any suspicious behaviors that users should be aware of and avoid. Can it spread to a user unbeknownst to them for example or does it require some action/trickery?
Discord has no vulnerability. It does not spread through Discord. It spreads when you visit a hacking site and try to download anything, or follow a youtibe tutorial of hacking. That's what OP said.
Thanks for the heads up Lafu.

"Discord Desktop client" does NOT steal your password and cryptocurrencies. The third-party malware does that.
Lafu does not mean that. He tried to say that this malware steals your password and access to your discord account. But yeah, the title is misleading.
asianguy845
Member
**
Offline Offline

Activity: 175
Merit: 14


View Profile
June 18, 2020, 02:31:20 AM
 #7

If you think your discord token has been grabbed, you can change your password. When your password changes, your token changes.
So this is easy to recover from Smiley
TryNinja
Legendary
*
Offline Offline

Activity: 1806
Merit: 3406


Merit & Notifications bot: @BTTSuperNotifier_bot


View Profile WWW
June 18, 2020, 02:50:29 AM
 #8

Lafu does not mean that. He tried to say that this malware steals your password and access to your discord account. But yeah, the title is misleading.
I know. But I clicked looking for a vulnerability in Discord that lets someone hack us. And I was ready to uninstall Discord if that was the case.

The title "Discord Desktop client steals your Password and Cryptocurrencies via Malware!" literally says Discord (the app) steals password through a malware. But it's the contrary. A malware is stealing passwords through Discord.

Lafu
Legendary
*
Offline Offline

Activity: 1946
Merit: 1799



View Profile
June 18, 2020, 03:13:27 PM
Last edit: June 18, 2020, 08:14:19 PM by Lafu
 #9

The title "Discord Desktop client steals your Password and Cryptocurrencies via Malware!" literally says Discord (the app) steals password through a malware.
Yeb you are right and it was a misstake from my side and i have changed it to " PM links in Discord Deskt. client can steal your Password ,Cryptocurrencies "
Hope its more Informative and explaining now.



If you think your discord token has been grabbed, you can change your password. When your password changes, your token changes.
So this is easy to recover from Smiley

It has nothing to do with the Discord token for itself .
You can change your password 1000 x if you dont get rid of the extra line in the index.js file the script gets loaded again.
Discord loads everytime this file new when you loggin and run the script .



It does not spread through Discord. It spreads when you visit a hacking site and try to download anything, or follow a youtibe tutorial of hacking. That's what OP said.
Thanks for the heads up Lafu.

You are wrong on that. This malware was changed and is only optimized designed for Discord  .
Its spreads through Discord and has nothing to do with other websites.
You get infected from Discord .



Can you share a little more detail on how this Trojan spreads? You said through discord but I think it'd be useful to also know if Discord's client has any vulnerabilities or perhaps if there are any suspicious behaviors that users should be aware of and avoid. Can it spread to a user unbeknownst to them for example or does it require some action/trickery?

Its just simple how can get infected.

For example :

You are in a Discord Server Channel from a Project .
One of the Users in channel get infected or the Hacker itself is in there , they sending to every User or randomly a PM to you on Discord .
You dont get a pm directly from the infected User normaly , but can be happend too.
Mostly the User you get the PM has the name like the Project has , lets call it Wallet update Bot or something similar.


Source : PM from my Discord

In this pm they say you have to update your wallet or your Account or whatever and click the Link .
If you click the link and download it or install there files thats where the magic happens.

You can avoid this if you just delete the PM you have got and dont click or download anything you dont know.
All projects dont PM you with updates and they just write there updates in there one Project Channel.
You dont get infected when you receive the PM


Hope its now a bit better expalined how it works and can be happend .
Will update my first post with that too.

Sry that you have missunderstanding it all in the first line , was my fault and hope its better now!





▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄    ▄▄▄▄                  ▄▄▄   ▄▄▄▄▄        ▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄
 ▀████████████████▄  ████                 █████   ▀████▄    ▄████▀  ▄██████████████   ████████████▀  ▄█████████████▀  ▄█████████████▄
              ▀████  ████               ▄███▀███▄   ▀████▄▄████▀               ████   ████                ████                   ▀████
   ▄▄▄▄▄▄▄▄▄▄▄█████  ████              ████   ████    ▀██████▀      ██████████████▄   ████████████▀       ████       ▄▄▄▄▄▄▄▄▄▄▄▄████▀
   ██████████████▀   ████            ▄███▀     ▀███▄    ████        ████        ████  ████                ████       ██████████████▀
   ████              ████████████▀  ████   ██████████   ████        ████████████████  █████████████▀      ████       ████      ▀████▄
   ▀▀▀▀              ▀▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀  ▀▀▀▀        ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀   ▀▀▀▀▀▀▀▀▀▀▀▀        ▀▀▀▀       ▀▀▀▀        ▀▀▀▀▀

#1 CRYPTO CASINO & SPORTSBOOK
  WELCOME
BONUS
.INSTANT & FAST.
.TRANSACTION.....
.PROVABLY FAIR.
......& SECURE......
.24/7 CUSTOMER.
............SUPPORT.
BTC      |      ETH      |      LTC      |      XRP      |      XMR      |      BNB      |     more
Macadonian
Full Member
***
Offline Offline

Activity: 125
Merit: 334


View Profile
June 18, 2020, 07:35:21 PM
 #10

The title is still a little misleading because it literally sounds like the developers behind discord are the ones stealing the passwords without reading the content of the post. It should read that a virus which affects Discord steals your password and cryptocurrencies as that would be more accurate and at the same time avoiding the click bait title.
hd49728
Hero Member
*****
Offline Offline

Activity: 1064
Merit: 655



View Profile
July 19, 2020, 01:57:48 PM
 #11

Thanks for the warning topic on PM links in Discord.

Months previously I spent my time to compose that topic Discord & scammers. Check user IDs and user colors of strangers send you PMs. Now, I will be aware of PM links, user IDs, colors on Discord. Anyway, links are provided by strangers should be cautious on any platforms, not only on Discord Desktop.

.freebitcoin.       ▄▄▄█▀▀██▄▄▄
   ▄▄██████▄▄█  █▀▀█▄▄
  ███  █▀▀███████▄▄██▀
   ▀▀▀██▄▄█  ████▀▀  ▄██
▄███▄▄  ▀▀▀▀▀▀▀  ▄▄██████
██▀▀█████▄     ▄██▀█ ▀▀██
██▄▄███▀▀██   ███▀ ▄▄  ▀█
███████▄▄███ ███▄▄ ▀▀▄  █
██▀▀████████ █████  █▀▄██
 █▄▄████████ █████   ███
  ▀████  ███ ████▄▄███▀
     ▀▀████   ████▀▀
BITCOIN
DICE
EVENT
BETTING
WIN A LAMBO !

.
            ▄▄▄▄▄▄▄▄▄▄███████████▄▄▄▄▄
▄▄▄▄▄██████████████████████████████████▄▄▄▄
▀██████████████████████████████████████████████▄▄▄
▄▄████▄█████▄████████████████████████████▄█████▄████▄▄
▀████████▀▀▀████████████████████████████████▀▀▀██████████▄
  ▀▀▀████▄▄▄███████████████████████████████▄▄▄██████████
       ▀█████▀  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  ▀█████▀▀▀▀▀▀▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.PLAY NOW.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!