Introduction

If you’ve been active in any communities on the Discord platform recently, you’ve seen this particular phishing scheme. It plays out the same basically every time, someone on your friends list reaches out to you in hopes to get you to run their “new game”. Obviously, this is not a game; This is malware. I decided it would be fun to poke at it and see what activity is visible at a cursory glance.

I reached out to some friends to find out that yes, they all knew people who had been hit with the phishing scheme. This brought up a fun opportunity for me to poke at the malware.

So what are we working with?

Here are our two samples.

Two fun games

Windows lists them both as “NodeJS JavaScript Runtime”, which seems about accurate. First thing to do is to check out what strings are plainly laid in the binary. There’s actually a few interesting things here that put us on the right path! For starters, it’s big. Massive. Huge, even. There’s a lot of bloat in this file despite its only perceived purpose being to steal a Discord token. In a moment we’ll see what I think is a good reason for this. A quick run through strings shows us a few important things in the binary.

  1. The binary is loaded with plaintext JavaScript dependencies from NodeJS (with the node_modules directory to boot! Name censored because this may be the malware distributor/compiler.) node_modules being massive as usual
  2. A build directory! This binary seems to have been built with “pkg-fetch”. pkg-fetch
  3. A Discord link! Thankfully I recognized this link: it’s a webhook! Messages sent to this (now defunct) webhook would show up in a Discord server it was linked to. Webhook spotted

If you’re familiar with the NodeJS ecosystem (or any scripting language), you may have heard of pkg (or a tool similar to it). The idea is simple: Take the code from an interpreted language, strap it to an interpreter, and ship it as one executable. It’s a little more advanced than that, but that’s the gist.

Pkg is… somewhat difficult to reverse. Not to call it impossible, and it would be easy if all it did was strap JS code to the interpreter. But unfortunately, as I found out from this GitHub issue thread, pkg actually compiles the main code into V8 bytecode, and only actually lists dependencies as plain JavaScript. This is done to obfuscate the actual pkg’d code, and stop me from doing… well, this. So until I decide to find a way to carve out that V8 bytecode and turn it into something more readable, we’re stuck with a black box.

Poking it with a stick and seeing what it does

Let’s try something more dynamic, starting with VirusTotal. Why fingerprint a file, when you can get someone to do it for you! Now, no vendors marked it as malicious, but I’m more interested in what it plans on accessing.

Domains the malware reaches for

For starters, the malware reaches out to Pastebin and Discord. This should be unsurprising, as we saw a Discord webhook embedded in the binary. The program seems to steal your Discord token, interact with this (now defunct) Pastebin link, and then send something to this Discord webhook. Also on VirusTotal, we can see the program spawn some child processes.

taskkill

As we can see here, the program spawns a commandline in order to kill off the Discord process. This is also unsurprising, as it probably wants to kick you off of your current session token so the attacker can use it. A little more digging (and running it myself) shows where the program looks for the login token to steal.

stealer

This is where the grabber actually takes the token, in this leveldb file. You can see it searches through many relevant ways of accessing Discord.After killing the Discord process, it sniffs through any possible locations for your login token and copies it, before sending it off to the previously mentioned webhook.

End

Besides that… not much else. There’s not a lot more to figure out about the thing short of decompiling the V8 bytecode that pkg uses to bundle it together. That might become a project for me, but perhaps best saved for another day. Besides, the malware is now defunct, so there isn’t much more I can gain from poking at this longer.

In short, the grabber is spread through other compromised Discord accounts, disguised as a game written in JavaScript. Once run, it kills the Discord process, scours the victim’s PC for the login token, and sends it off to some Discord webhook. Not particularly complex, but a fun exercise regardless!

Cheers, thanks for reading.