AnarchyGrabber Threatens Discord Users' Security by Stealing Passwords, IDs, Tokens

AmarchyGrabber Discord Trojan

Some malware strains make the headlines as soon as they appear because they are used in high-profile attacks that cause a lot of damage. The AnarchyGrabber trojan isn't one of them. The malware has been distributed for free on hacking forums for a few months now, but it hasn't really caught the attention of mainstream media because, in its original incarnation, it doesn't really represent that much of a threat to most internet users.

The original AnarchyGrabber targets users of a VoIP service called Discord, which is extremely popular with gamers. The attackers have been seen masking the malware as a game cheat or a hacking tool. If a victim takes the bait, AnarchyGrabber modifies one of Discord's JavaScript files and steals the VoIP service user tokens available on the infected machine. Using these tokens, the hackers can log into the victim's Discord accounts and, among other things, impersonate them. In this form, the trojan isn't exactly harmless, but since the damage is limited to the Discord platform, it isn't the most dangerous threat, either. A recent update could make it more of a problem, though.

Hackers update AnarchyGrabber and include password-stealing capabilities

Last week, researchers from MalwareHunterTeam discovered a new version of AnarchyGrabber. They passed it on to experts from Bleeping Computer who analyzed it and published a report. It turns out that the hackers have added a few new features to the malware that can turn it into a powerful weapon.

Once again, post-installation, AnarchyGrabber injects some malicious code into one of Discord's JS files. This time, however, the malware isn't after the victim's user token but rather their plaintext password. After the successful installation, AnarchyGrabber logs the victim out of their account and asks them to log back in. The trojan records the email address and password and collects other information like the login name, the user token, and the victim's IP. All this is sent to a Discord channel controlled by AnarchyGrabber's operators. When the user logs in successfully, the trojan also tries to disable two-factor authentication.

AnarchyGrabber's new version is extremely stealthy

We've yet to see whether AnarchyGrabber manages to evade detection from some of the popular anti-malware solutions. What is certain is that if your security product doesn't detect it, you are very unlikely to learn that you've been hit. According to Bleeping Computer, the only way of knowing whether or not AnarchyGrabber has infected your computer is to check Discord's JS files and see if any modifications have been made to them. This isn't good news because, with AnarchyGrabber's new version, your Discord account isn't the only thing that is put at risk.

Indeed, the only passwords AnarchyGrabber steals is the one for the victims' Discord accounts, but as we all know, password reuse continues to be a problem, and credential stuffing attacks continue to be among the most effective ways of compromising a large number of accounts at many different services.

Up until recently, the people running AnarchyGrabber appeared to be happy with hitting victims' Discord accounts only, but the newly added features suggest that they want to expand their operations now. Users of the communication service should probably bear this in mind.

May 26, 2020

Leave a Reply