Experts are cautioning that hackers are employing Discord to snatch data gathered from compromised computers. In a recent report, cybersecurity researcher Gurumoorthi Ramanathan from Trellix outlined the malware and the techniques it utilized for data exfiltration.
As per the report, the bad actors developed an advanced infostealer dubbed NS-STEALER. They’re circulating it through ZIP archives posing as cracked software. Once a victim unpacks the archive, they’ll come across a Windows shortcut named “Loader GAYve.” If triggered, it sets off a malicious Java program. This program has a dual purpose: firstly, it forms a folder labeled “NS-<11-digit_random_number>” to stash all the gathered information. Secondly, it initiates the data-grabbing process.
NS-STEALER goes on the hunt for info stored in over two dozen browsers—cookies, credentials, and autofill data. After that, it goes into action, capturing screenshots of the compromised device, snagging system details, and compiling a list of installed programs. It doesn’t stop there; it also grabs Discord tokens, along with session data for Steam and Telegram.
In the grand finale, it sends all this loot to a Discord Bot channel.
“Considering the highly sophisticated function of gathering sensitive information and using X509Certificate for supporting authentication, this malware can quickly steal information from the victim systems with [Java Runtime Environment],” Ramanathan said. “The Discord bot channel as an EventListener for receiving exfiltrated data is also cost-effective.”
It’s not the first rodeo for hackers exploiting Discord for their shady schemes. In reality, Discord has been a playground for misuse for quite some time. In 2020, researchers from MalwareHunterTeam stumbled upon a remote access trojan (RAT) that employed Discord as a command and control (C2) server.
In that very year, researchers caught wind of a variant of the AnarchyGrabber trojan doing its dirty work—snatching plain text passwords from victims and even instructing an infected client to spread malware to their Discord buddies.