Data Security

New malware targets Discord users to steal personal data

One of the most frequently used messenger services out there is Discord among others. Lately, they have been in trouble due to their Microsoft Windows app being infected with malware. Since it is built using an opensource framework named Electron.

For those who don’t know Electron relies heavily on the 3 basic web languages: HTML, CSS & JS. However, this also opens up the potential for the code to be compromised with which exactly happened, in this case, turning the application into a piece of malware.

Tweet from MalwareHunterTeam:

It was first reported by MalwareHunterTeam on Twitter and has been called both Spidey Bot and BlueFace. The information collected by it includes a mix of sensitive and relatively unharmful information.

Some of the examples of the former include the first 50 characters present in the Window’s clipboard which could reveal confidential information such as passwords in some cases; personally identifiable information such as one’s phone number, name and email address; the version of the discord app which could be useful in exploiting bugs in old versions and the victim’s local & public IP addresses along with their time zone which could give potentially away their location.

The latter on the other hand comprises the screen resolution of the victim’s device, the browser user agent and the zoom factor.

In order to check if you were infected, there’s a simple process to follow:

  • Open the %AppData%Discord[version]modulesdiscord_modulesindex.js file in a code editor such as notepad and make sure that it only contains “module.exports = require(‘./discord_modules.node’);” as a single line.

  • Similarly open the %AppData%Discord[version]modulesdiscord_desktop_coreindex.js file and verify that it also contains only “module.exports = require(‘./core.asar’);” as a single line.

Image: BleepingComputer

If the above two checks are cleared, it means that you haven’t been infected by this particular malware. However, if you see an additional code like in the picture below, it is best to re-install the discord app since the new code represents the malicious JavaScript the attackers have been adding.

To conclude, Discord has responded at the moment but not in the manner we’d expect. This was followed by users complaining about the lack of intent present in their tone which although was followed by a reconciliatory message of ongoing investigations.

We could only urge our readers to take suitable precautions, one of them relevant here being regularly checking your installed software for any modified core files through anti-virus software.


To Top

Pin It on Pinterest

Share This