A new malware is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan.
The Windows Discord client is an Electron application, which means that almost all of its functionality is derived from HTML, CSS, and JavaScript. This allows malware to modify its core files so that the client executes malicious behavior on startup.
Discovered by researcher MalwareHunterTeam earlier this month, this malware is called “Spidey Bot” based on the name of the Discord command and control channel that the malware communicated with. A comment in the article below, though, claims it’s real name is “BlueFace”.
When installed, the malware will add its own malicious JavaScript to the %AppData%\Discord\[version]\modules\discord_modules\index.js and %AppData%\Discord\[version]\modules\discord_desktop_core\index.js files.
The malware will then terminate and restart the Discord app in order for the new JavaScript changes to be executed.
Once started, the JavaScript will execute various Discord API commands and JavaScript functions to collect a variety of information about the user that is then sent via a Discord webhook to the attacker.
The information that is collected and sent to the attacker includes:
- Discord user token
- Victim timezone
- Screen resolution
- Victim’s local IP address
- Victim’s public IP address via WebRTC
- User information such as username, email address, phone number, and more
- Whether they have stored payment information
- Zoom factor
- Browser user agent
- Discord version
- The first 50 characters of the victims Windows clipboard
The contents of the clipboard is especially concerning as it could allow the user to steal passwords, personal information, or other sensitive data that was copied by the user.
After sending the information, the Discord malware will execute the fightdio() function, which acts as a backdoor.
This function will connect to a remote site to receive an extra command to execute. This allows the attacker to perform other malicious activity such as stealing payment information if it exists, executing commands on the computer, or potentially installing further malware.
At this time, the above site is down, but it is not known if a different sample utilizes a different site or not. Furthermore, one commenter below states that the malware has been discontinued, but we have no way of confirming that.
Researcher and reverse engineer Vitali Kremez who also analyzed the malware told BleepingComputer that the infection has been seen using file names such as “Blueface Reward Claimer.exe” and “Synapse X.exe”. While it is not 100% sure how it is being spread, Kremez feels that the attacker is using Discord messaging to spread the malware.
As this infection shows no outward indication that it has been compromised, a user will have no idea they are infected unless they perform network sniffing and see the unusual API and web hook calls.
If the installer is detected and removed, the modified Discord files will still remain infected and continue to be executed each time you start the client. The only way to clean the infection will be to uninstall the Discord app and reinstall it so that the modified files are removed.
Even worse, after over two weeks, this Discord malware still only has 24/65 detections on VirusTotal.
How to check if you are infected
Checking if your Discord client has been modified is very easy as the targeted files normally have only one line of code in them.
To check the %AppData%\Discord\[version]\modules\discord_modules\index.js simply open it in Notepad and it should only contain the single line of “module.exports = require(‘./discord_modules.node’);” as shown below.
For the %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file, it should only contain the “module.exports = require(‘./core.asar’);” string as shown below.
If either of the two files contain code other than what is shown above, then you should uninstall and reinstall the Discord client and confirm the modifications are removed.
It is important to remember, though, that other malware can just as easily modify other JavaScript files used by the Discord client so these instructions are only for this particular malware.
How can Discord protect your from malware threats
After posting this article, we have received many questions on how Discord can warn users about modifications to the client.
Discord can do this by creating a hash of each client file when a new version is released. After being installed, if the file is modified this hash will change.
When the Discord client starts, it can perform a file integrity check and see if the current file’s hashes match the default hashes for the Discord client. If they are different, that file has been modified and the app can display a warning, such as the mockup we created below, that allows the user to continue loading the client or to cancel it.
This check should be done using native code rather than another JavaScript file, which can be easily modified.
Update 10/24/19: Added sections on checking if specified JS files have been modified and how Discord can monitor these types of modifications.
Update 10/24/19 5:25PM EST: Added information about the C2 being dead, that the real name for this infection may be BlueFace, and that the malware is said to be discontinued. We cannot confirm the last two claims.