Netskope security researchers have spotted a new credential stealer dubbed TroubleGrabber that spreads via Discord attachments and uses Discord webhooks to transfer stolen data to its operators.
The malware the same functionalities used by other malware that target Discord gamers, like AnarchyGrabber, but it appears to be the work of different threat actors. TroubleGrabber was developed by an individual named “Itroublve” and is currently used by multiple threat actors.
This malware is distributed via drive-by download, it is able to steal web browser tokens, Discord webhook tokens, web browser passwords, and system information. The malware sends information back to the attacker via webhook as a chat message to his Discord server.
The malware was distributed via Discord in 97.8% of detected infections, “with small numbers distributed via anonfiles.com and anonymousfiles.io, services that allow users to upload files anonymously and free for generating a public download link.”
The info stealer was also distributed among Discord users from over 700 different Discord server channel IDs.
Netskope researchers discovered TroubleGrabber in October 2020 while analyzing Discord threats.
The experts identified more than 5,700 public Discord attachment URLs hosting malware.
“In October 2020 alone, we identified more than 5,700 public Discord attachment URLs hosting malicious content, mostly in the form of Windows executable files and archives. At the same time, we scanned our malware database for samples containing Discord URLs used as next stage payloads or C2’s.” reads the report published by NetSkope.
“Figure 1 shows a breakdown of the top five detections of 1,650 malware samples from the same time period that were delivered from Discord and also contained Discord URLs.”
The TroubleGrabber attack kill chain leverages both Discord and Github as repository for next stage payloads that is downloaded to the C:/temp folder once a victim is infected with the malware.
TroubleGrabber payloads steal victims’ credentials, including system information, IP address, web browser passwords, and tokens.
“It then sends them as a chat message back to the attacker via a webhook URL.” continues the report.
NetSkope discovered that the author of the malware currently runs a Discord server with 573 members, and hosts next stage payloads and the malware generator’s on their public GitHub account.
OSINT analysis allowed the experts to identify the Discord server, Facebook page, Twitter, Instagram, website, email address, and a YouTube channel.
“Netskope Threat Labs have reported the attack elements of TroubleGrabber to Discord, GitHub, YouTube, Facebook, Twitter, and Instagram on November 10, 2020.” concluded the report.
“The Indicators Of Compromise (IOC’s) associated with TroubleGrabber is available on Github.”
(SecurityAffairs – hacking, malware)