Light Dark
May 27, 2020 By David Bisson 2 min read

Security researchers observed the “AnarchyGrabber3” malware modifying the Discord client to steal its victims’ plaintext passwords.

As reported by Bleeping Computer, a threat actor released a new version of the AnarchyGrabber malware family called “AnarchyGrabber3.” This Trojan variant modified a Discord client’s %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file upon successful installation so it could load JavaScript files. It first loaded inject.js, a script that then called in discordmod.js. Together, these two scripts logged the victim out of the client and prompted them to reauthenticate themselves.

The modified client preyed upon its victims by attempting to disable two-factor authentication (2FA) on their accounts. It then stole various information from the victim including their login name, email address and even their plaintext password. Simultaneously, the client listened for commands sent by the attacker. One of those orders instructed the client to send a message to a victim account’s friends, thereby helping to spread the malware to even more Discord users.

A Look Back at AnarchyGrabber

The emergence of AnarachyGrabber3 marks the latest development in a still-nascent family of malware. It was back in November 2019 when security researchers such as MalwareHunterTeam first spotted the malware using a Discord webhook to steal victims’ tokens and send them off to its handlers. In April 2020, Bleeping Computer learned of a new variant of the threat that modified the Discord client so that it could evade detection while stealing user accounts.

Defend Against an Infostealing Discord Client

AnarchyGrabber highlights the dangers of users reusing their passwords across multiple accounts. If the malware preyed upon employees who had reused their Discord passwords across multiple sites, for instance, attackers could authenticate themselves on these services and abuse that access to commit identity theft, perpetrate credit fraud or conduct a series of other secondary attacks.

In light of those risks, security professionals should lead the charge in their organizations to discourage users from reusing their passwords. They should leverage ongoing security awareness training to teach the workforce about this security best practice. Simultaneously, teams should augment their employees’ account security by requiring them to activate multifactor authentication (MFA) whenever it’s an available option. Threats such as AnarchyGrabber3 might attempt to disable that layer of protection, but they might not be successful. This feature could also help to safeguard employees’ account access when confronted by less sophisticated threats.

 |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 17, 2024

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

May 15, 2024

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature