Figure 10 – Bypassing DiscordTokenProtector After this, the malware also modifies the config.json file present in the DiscordTokenProtector directory to bypass the token protector. If these filesare present in the DiscordTokenProtector directory, the malware removes them. To evade this, the malware checks for the presence of certain files such as DiscordTokenProtector.exe, ProtectionPayload.dll, and secure.dat. The malware then proceeds to scan for the presence of a Discord token protector, something that protects Discord tokens from malicious grabbers. HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\\\0000\\ProviderName 2> nul”) Figure 9 – Query registry SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum It then reads the following registry keys for identifying the Virtual environment. If it’s below 50GB, it terminates itself. The malware also checks for the disk size of the victim’s system. The figure below shows the hardcoded lists Figure 8 – Anti-debug check
#Discord ip grabber github Pc#
The malware has a list of a few hardcoded values such as hardware ID, PC names, and usernames to exclude them from infection. The malware performs various checks to prevent debugging and terminates itself if malware is being debugged.
#Discord ip grabber github code#
After this, the malware creates a thread for each function present in the list to execute the malicious code parallelly. Upon execution, the stealer checks the configuration settings and creates a list to append the function names whose flag is set to TRUE. Figure 6 – Creating a folder in the Temp directory The malware copies itself into the startup location to establish persistence and creates a random directory in the %temp% to store the stolen data. The malware configuration also contains Flag variables and a list of programs to terminate during execution, as shown below. The malware exfiltrates the data to a Discord channel using webhooks which can be modified through the configuration settings. The builder is a simple batch file that helps generate the payload and convert malicious Python script to a. Hazard Token Grabber is developed using Python, and the builder of this stealer supports Python version 3.10. The figure below shows the file details of one of the recent samples we analyzed. Figure 2 – Stats of the sample submission in VirusTotal The number of samples related to Hazard stealer has increased significantly in the last three months, as shown below. Figure 1 shows the statement made by the Threat Actor. This indicates that the malware present on GitHub might not be that evasive, and the TA has only uploaded it there for advertisement purposes. Interestingly few of the samples had either low or even zero detection.Īs per the statement made by the Threat Actor (TA), it appears that an upgraded version of Hazard Stealer can be accessed by purchasing it on their Discord server or website. Most of the samples seen in the wild are the actual Python source code of the malware used for compiling the binary, indicating that the malware has been used on a large scale. Both versions are available on GitHub for free.ĭuring our OSINT threat hunting exercise, we came across over 2000 Samples related to this stealer present in the wild. The initial version of Hazard Token Grabber was spotted in the wild in 2021, and we have observed an upgraded version now, which Threat Actors (TAs) are using to steal the user’s data. Upgraded version of Stealer Targeting Discord UsersĬyble Research Labs has come across a new strain of malware performing stealing activities named Hazard Token Grabber.
0 kommentar(er)
