Thanks for the warning topic on PM links in Discord.
Months previously I spent my time to compose that topic Discord & scammers. Check user IDs and user colors of strangers send you PMs. Now, I will be aware of PM links, user IDs, colors on Discord. Anyway, links are provided by strangers should be cautious on any platforms, not only on Discord Desktop.
Topic: PM links in Discord Deskt. client can steal your Password ,Cryptocurrencies ! (Read 385 times)
July 19, 2020, 09:57:48 AM
June 18, 2020, 03:35:21 PM
The title is still a little misleading because it literally sounds like the developers behind discord are the ones stealing the passwords without reading the content of the post. It should read that a virus which affects Discord steals your password and cryptocurrencies as that would be more accurate and at the same time avoiding the click bait title.
June 18, 2020, 11:13:27 AM
The title "Discord Desktop client steals your Password and Cryptocurrencies via Malware!" literally says Discord (the app) steals password through a malware.
Yeb you are right and it was a misstake from my side and i have changed it to " PM links in Discord Deskt. client can steal your Password ,Cryptocurrencies " Hope its more Informative and explaining now.
If you think your discord token has been grabbed, you can change your password. When your password changes, your token changes.
So this is easy to recover from
So this is easy to recover from
It has nothing to do with the Discord token for itself .
You can change your password 1000 x if you dont get rid of the extra line in the index.js file the script gets loaded again.
Discord loads everytime this file new when you loggin and run the script .
It does not spread through Discord. It spreads when you visit a hacking site and try to download anything, or follow a youtibe tutorial of hacking. That's what OP said.
Thanks for the heads up Lafu.
Thanks for the heads up Lafu.
You are wrong on that. This malware was changed and is only optimized designed for Discord .
Its spreads through Discord and has nothing to do with other websites.
You get infected from Discord .
Can you share a little more detail on how this Trojan spreads? You said through discord but I think it'd be useful to also know if Discord's client has any vulnerabilities or perhaps if there are any suspicious behaviors that users should be aware of and avoid. Can it spread to a user unbeknownst to them for example or does it require some action/trickery?
Its just simple how can get infected.
For example :
You are in a Discord Server Channel from a Project .
One of the Users in channel get infected or the Hacker itself is in there , they sending to every User or randomly a PM to you on Discord .
You dont get a pm directly from the infected User normaly , but can be happend too.
Mostly the User you get the PM has the name like the Project has , lets call it Wallet update Bot or something similar.
Source : PM from my Discord
In this pm they say you have to update your wallet or your Account or whatever and click the Link .
If you click the link and download it or install there files thats where the magic happens.
You can avoid this if you just delete the PM you have got and dont click or download anything you dont know.
All projects dont PM you with updates and they just write there updates in there one Project Channel.
You dont get infected when you receive the PM
Hope its now a bit better expalined how it works and can be happend .
Will update my first post with that too.
Sry that you have missunderstanding it all in the first line , was my fault and hope its better now!
June 17, 2020, 10:50:29 PM
Lafu does not mean that. He tried to say that this malware steals your password and access to your discord account. But yeah, the title is misleading.
I know. But I clicked looking for a vulnerability in Discord that lets someone hack us. And I was ready to uninstall Discord if that was the case.The title "Discord Desktop client steals your Password and Cryptocurrencies via Malware!" literally says Discord (the app) steals password through a malware. But it's the contrary. A malware is stealing passwords through Discord.
June 17, 2020, 10:31:20 PM
If you think your discord token has been grabbed, you can change your password. When your password changes, your token changes.
So this is easy to recover from
So this is easy to recover from
legendary
Activity: 1960
Merit: 1908
Marketing Campaign Manager |Telegram ID- @LT_Mouse
June 17, 2020, 10:28:29 PM
Can you share a little more detail on how this Trojan spreads? You said through discord but I think it'd be useful to also know if Discord's client has any vulnerabilities or perhaps if there are any suspicious behaviors that users should be aware of and avoid. Can it spread to a user unbeknownst to them for example or does it require some action/trickery?
Discord has no vulnerability. It does not spread through Discord. It spreads when you visit a hacking site and try to download anything, or follow a youtibe tutorial of hacking. That's what OP said.Thanks for the heads up Lafu.
"Discord Desktop client" does NOT steal your password and cryptocurrencies. The third-party malware does that.
Lafu does not mean that. He tried to say that this malware steals your password and access to your discord account. But yeah, the title is misleading. June 17, 2020, 10:27:58 PM
You should fix your title. This is a malware, totally unrelated to Discord, that attacks your computer and uses Discord as a disguise to steal your stuff. It could use Skype, Office or even Chrome. "Discord Desktop client" does NOT steal your password and cryptocurrencies, which is what your title says. The third-party malware (that doesn't appear through Discord) does that.
June 17, 2020, 09:09:48 PM
Can you share a little more detail on how this Trojan spreads? You said through discord but I think it'd be useful to also know if Discord's client has any vulnerabilities or perhaps if there are any suspicious behaviors that users should be aware of and avoid. Can it spread to a user unbeknownst to them for example or does it require some action/trickery?
June 17, 2020, 08:10:50 PM
This is AnarchyGrabber3, a highly infectious Trojan that steals passwords from Discord profiles,
disables 2FA and in turn spreads (like a Trojan) through direct messages to the friends list with flashy offers (free paid games, free premium software or even free cryptocurrencies).
disables 2FA and in turn spreads (like a Trojan) through direct messages to the friends list with flashy offers (free paid games, free premium software or even free cryptocurrencies).
Thanks, OP. This is alarming. People should really "think before they click". All these malware will not enter the system unless the user itself pulls the trigger for it.
If I'm not mistaken on Discord, people can't just send a message to anyone they like or randomly. That's why every user should use their common sense if they received something unusual to their friends (either via direct connection or in a group).
As stated, this malware will just affect the Desktop version. Based on my observation, Discord was highly used in mobile so it will lessen the risks but still, always take note of the safety measures like in any other applications we used.
June 17, 2020, 07:23:33 PM
thanks for the heads up
though my discord path stops at C:\Users\Your_user\AppData\Roaming\Discord\
edit:
it was a hidden folder: and yes my index looks as it should.
edit:
it was a hidden folder: and yes my index looks as it should.
June 17, 2020, 07:11:30 PM
As i hunting now over an year posted Malware and Suspicious Links here on the Forum and on Discord i wanted to share a Article i found .
Because i guess a lot of Users are using Discord also and they should be knowing that and also how you can remove the Malware when your pc is infected.
AnarchyGrabber is a popular trojan that is commonly spread for free on hacker forums and within YouTube videos that explain how to steal Discord user tokens.
Threat actors then distribute the trojan on Discord, where they pretend it's a game cheat, hacking tool, update for a Wallet or copyrighted software.
This is AnarchyGrabber3, a highly infectious Trojan that steals passwords from Discord profiles,
disables 2FA and in turn spreads (like a Trojan) through direct messages to the friends list with flashy offers (free paid games, free premium software or even free cryptocurrencies).
This Trojan attacks users with the desktop version of Discord.
Once the Trojan enters the victim's system, it overwrites the JavaScript file index.js in the Discord client's path and automatically calls the attacker's machine,
which can log in to your account and remove all the coins.
How to know if you are infected with the AnarchyGrabber3 Trojan?
You have go to the path of your hard disk containing the Discord client.
In almost all cases (for Windows users) it is C:\Users\Your_user\AppData\Roaming\Discord\version\modules\discord_desktop_core.
being there, open with an Editor the file index.js
Check that your file looks like the following picture.
If there are any extra lines of text, your Discord client has probably been compromised by this trojan.
Is there a other Modified Discord client JavaScript file in there .
This file will then load another malicious javascript file called discordmod.js into the client.
The malicious scripts will then log the user out of the Discord client and prompt them to log in.
Once a victim logs in, the modified Discord client will attempt to disable 2FA on their account.
The client then uses a Discord webhook to send the user's email address, login name, user token, plain text password, and IP address to a Discord channel under the attacker's control.
After the AnarchyGrabber3 executable is run and modifies the Discord client files, it does not stay resident or run again.
Therefore, there is no malicious process for antivirus software to detect, the infected user will continue to be part of the botnet whenever they connect to Discord.
So if there is another line written, besides that " module.exports = require('./core.asar'); ", quickly disable your internet internet connection,
then go to Control Panel - Add or Remove Programs and uninstall Discord completely.
You should be make some scans with diffrent Antivirus and Malware detecing Software to clean your PC.
After that you can install Discord again or my personal suggestion use the Browser version for Discord.
How you can be get Infected
For example :
You are in a Discord Server Channel from a Project .
One of the Users in channel get infected or the Hacker itself is in there , they sending to every User or randomly a PM to you on Discord .
You dont get a pm directly from the infected User normaly , but can be happend too.
Mostly the User you get the PM has the name like the Project has , lets call it Wallet update Bot or something similar.
Source : PM from my Discord
In this pm they say you have to update your wallet or your Account or whatever and click the Link .
If you click the link and download it or install there files thats where the magic happens.
You can avoid this if you just delete the PM you have got and dont click or download anything you dont know.
All projects dont PM you with updates and they just write there updates in there one Project Channel.
You dont get infected when you receive the PM
Article , Images and Sources used for this thread are from:
https://www.publish0x.com/cryptalk/new-ransomware-attacks-your-discord-account-and-extracts-you-xqokole
https://www.bleepingcomputer.com/news/security/discord-client-turned-into-a-password-stealer-by-updated-malware/
https://cdn.publish0x.com/prod/fs/images/a804cbb676986e45c959f5060270ece10f484a70c83946c089b0c1bb2ebe58af.png
https://cdn.publish0x.com/prod/fs/images/355dbef9f3b5984df03cdb3979a9dc1def0556f205d7f07a138417adb8502e40.png
https://www.bleepstatic.com/images/news/malware/d/discord/anarchygrabber3/4n4rchy-folder.png
https://twitter.com/malwrhunterteam
Because i guess a lot of Users are using Discord also and they should be knowing that and also how you can remove the Malware when your pc is infected.
AnarchyGrabber is a popular trojan that is commonly spread for free on hacker forums and within YouTube videos that explain how to steal Discord user tokens.
Threat actors then distribute the trojan on Discord, where they pretend it's a game cheat, hacking tool, update for a Wallet or copyrighted software.
This is AnarchyGrabber3, a highly infectious Trojan that steals passwords from Discord profiles,
disables 2FA and in turn spreads (like a Trojan) through direct messages to the friends list with flashy offers (free paid games, free premium software or even free cryptocurrencies).
This Trojan attacks users with the desktop version of Discord.
Once the Trojan enters the victim's system, it overwrites the JavaScript file index.js in the Discord client's path and automatically calls the attacker's machine,
which can log in to your account and remove all the coins.
How to know if you are infected with the AnarchyGrabber3 Trojan?
You have go to the path of your hard disk containing the Discord client.
In almost all cases (for Windows users) it is C:\Users\Your_user\AppData\Roaming\Discord\version\modules\discord_desktop_core.
being there, open with an Editor the file index.js
Check that your file looks like the following picture.
If there are any extra lines of text, your Discord client has probably been compromised by this trojan.
Is there a other Modified Discord client JavaScript file in there .
This file will then load another malicious javascript file called discordmod.js into the client.
The malicious scripts will then log the user out of the Discord client and prompt them to log in.
Once a victim logs in, the modified Discord client will attempt to disable 2FA on their account.
The client then uses a Discord webhook to send the user's email address, login name, user token, plain text password, and IP address to a Discord channel under the attacker's control.
After the AnarchyGrabber3 executable is run and modifies the Discord client files, it does not stay resident or run again.
Therefore, there is no malicious process for antivirus software to detect, the infected user will continue to be part of the botnet whenever they connect to Discord.
So if there is another line written, besides that " module.exports = require('./core.asar'); ", quickly disable your internet internet connection,
then go to Control Panel - Add or Remove Programs and uninstall Discord completely.
You should be make some scans with diffrent Antivirus and Malware detecing Software to clean your PC.
After that you can install Discord again or my personal suggestion use the Browser version for Discord.
How you can be get Infected
For example :
You are in a Discord Server Channel from a Project .
One of the Users in channel get infected or the Hacker itself is in there , they sending to every User or randomly a PM to you on Discord .
You dont get a pm directly from the infected User normaly , but can be happend too.
Mostly the User you get the PM has the name like the Project has , lets call it Wallet update Bot or something similar.
Source : PM from my Discord
In this pm they say you have to update your wallet or your Account or whatever and click the Link .
If you click the link and download it or install there files thats where the magic happens.
You can avoid this if you just delete the PM you have got and dont click or download anything you dont know.
All projects dont PM you with updates and they just write there updates in there one Project Channel.
You dont get infected when you receive the PM
Article , Images and Sources used for this thread are from:
https://www.publish0x.com/cryptalk/new-ransomware-attacks-your-discord-account-and-extracts-you-xqokole
https://www.bleepingcomputer.com/news/security/discord-client-turned-into-a-password-stealer-by-updated-malware/
https://cdn.publish0x.com/prod/fs/images/a804cbb676986e45c959f5060270ece10f484a70c83946c089b0c1bb2ebe58af.png
https://cdn.publish0x.com/prod/fs/images/355dbef9f3b5984df03cdb3979a9dc1def0556f205d7f07a138417adb8502e40.png
https://www.bleepstatic.com/images/news/malware/d/discord/anarchygrabber3/4n4rchy-folder.png
https://twitter.com/malwrhunterteam
Jump to: