The unique way bad actors are stealing Discord accounts

bun

2 min read
The unique way bad actors are stealing Discord accounts

Imagine this: you're chilling on Discord with some friends, having a laugh, then suddenly you get a DM from someone you do not know. They are asking you for some help with their Discord bot! Nothing to worry about right? You're nice enough to reply and try to help, so they send a GitHub repo for their bot. You download the repo, install the packages and run the bot.

Bad news!

You just ran malware without realising it.
How, you may ask? Bad actors love abusing every tool they can set their eyes upon. This time, they're abusing NPM (and PyPi) in order to distribute malicious packages that execute malware upon running. Most of the time, these packages are forks of legitimate packages, but with either a new file storing the malware or the malware hiden well within an existing file. In this specific example, the malware is hidden away in the file src/processor/Music/support/Playing.js - not the most obvious place to look, right?!

Unlucky for them, we can deobfuscate the code to see just how it works!

The code used will download malware from a remote URL, usually stored on Discord or Dropbox, and then execute it in the background.

The file it downloads will be an information stealer of some kind (there are far too many...), usually Epsilon Stealer or Wave Stealer. These stealers will scrape every single credential saved on your PC from every popular browser and send them to a remote C2 server, then to the attacker via either Discord or Telegram. Before you know it, you've been logged out of your Discord account and your passwords have been changed.

It's worth noting that this is not exactly a new method of stealing credentials, but it is becoming more and more commonly used. Every time someone gets hacked, bad actors get plenty of new potential victims. Here is a Simpson example:

There is a simpson image for everything.

Moral of the story

Be vigilant online. If someone random chooses to DM you specifically, there is usually a reason (such as account badges). Running random code on your PC is always a risk, even if it's coming from your best friend - they may be hacked as well. Remember, if something seems off, it probably is.