Malware turns Discord client into password stealer

(Image credit: Shutterstock)

Hackers have updated the AnarchyGrabber trojan to a new version which is capable of stealing passwords and user tokens, disabling 2FA and spreading malware to a victim's friends as well.

This is the second update the trojan has received this year as it was also updated back in April to modify Discord client files in order to evade detection by antivirus software and steal user accounts every time someone logs into the popular chat service. 

AnarchyGrabber is distributed for free on hacking forums and in YouTube videos and the trojan is used by cybercriminals on Discord who claim it is a game cheat, hacking tool or copyrighted software. Instead it modifies the Discord client's JavaScript files to turn it into malware that can steal a victim's Discord user token which is then used by an attacker to log into the popular chat service as the victim.

Hackers have now released a modified version of the AnarchyGrabber trojan with updated and more powerful features.

AnarchyGrabber3

AnarchyGrabber3 is a new variant of the popular malware which can steal a victim's plain text passwords and even command an infected client to spread malware to a victim's Discord friends. Since the attackers are now stealing plain text passwords, they can also use them in credential stuffing attacks in order to compromise a victim's other online accounts as well.

When installed, AnarchyGrabber3 will modify the Discord client's index.js file to load additional JavaScript files including a custom inject.js from a 4n4rchy folder as well a malicious file called discordmod.js. The malicious scrips will then log the user out of Discord and ask them to log in again.

When a victim logs in, the modified Discord client will try to disable 2FA on their account. The client then uses a Discord webhook to send the user's email address, login name, user token, plain text password and IP address to a Discord channel controlled by the attacker. The modified client will also listen for commands sent by the attacker once the victim is logged in. One of these commands can even be used to send a message to all of the victim's friends that contains malware the attackers want to spread.

This trojan is particularly dangerous because it makes it hard for average users to know they're infected as the AnarchyGrabber3 executable does not stay on a user's system or run again after it has modified the Discord client files.

Thankfully, it is quite easy to see if your system has been infected with AnarchyGrabber3. Simply open Discord's index.js file in %AppData%\Discord\[version]\modules\discord_desktop_core with Notepad and look for a single line of code that looks like this: “module.exports = require('./core.asar')”. If your client contains no other code, then it likely hasn't been infected with the trojan.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.