The researcher MalwareHunterTeam has found a new malware that targets Discord users by modifying the Windows Discord client into a backdoor and information-stealing Trojan. Discord is a group chat and voice communication app that is popular among people who play video games online together. The Windows Discord client is an Electron application, which is primarily written in the HTML, CSS and JavaScript programming languages, which allows malware to modify its core files so that the client executes malicious behavior on startup. The malware is called Spidey Bot, based on the name of the Discord Command and Control (C2) channel that the malware communicates with. When installed, the malware adds its own malicious JavaScript to the file %AppData%Discord[version]modulesdiscord_modulesindex.js and %AppData%Discord[version]modulesdiscord_desktop_coreindex.js. The malware will then terminate and restart the Discord app in order for the new JavaScript changes to be executed. Once restarted, the new JavaScript will execute various Discord Application Program Interface (API) commands and JavaScript functions to collect various information about the user. The information is then sent via a Discord webhook to the attacker. Some of the information that is collected is Discord User Token, victim time zone, screen resolution, the victims’ local and public IP address, username, email address, phone number, clipboard contents, and stored payment information. The malware could also allow an attacker to steal a victim’s password, personal information and other sensitive data. After sending the information, the malware will open a backdoor that would allow an attacker to send other commands to perform malicious activities such as executing commands or potentially installing other malware.
Analyst Notes
To verify that users do not have this malware, it is recommended to completely remove the Discord client for Windows and reinstall it using new downloads on the Discord website. Discord has released a new version that addresses and removes the altered files.
