Edition Bleeping computer warns that the new version of the AnarchyGrabber Trojan steals user passwords and tokens, disables 2FA and distributes the malware with the victim’s friends. And for all this, attackers modify the official Discord client.
However, a new version of AnarchyGrabber was spotted last week with a number of new features. Now the malware is called AnarchyGrabber3, steals victims' passwords in plain text, and can also use the infected Discord client to further spread the threat to all the friends of the victim. It is noted that passwords stolen in this way can be used to hack accounts on other sites.
Then this file will load another malicious file into the client – discordmod.js. These scripts log out the user from the Discord client and prompt them to re-enter the offer.
As soon as the victim logs in, the modified Discord client tries to disable two-factor authentication for the account. The client then uses the web hook to send the email address, username, token, plain text password, and IP address to a special Discord channel controlled by the attackers.
After that, the “corrected” Discord client waits for further commands from its operators. One of them may order hacked Discord clients to send malicious messages to all the victim’s friends containing the same malware. Researchers write that this component makes it easier for criminals to spread AnarchyGrabber3, and can also be used to spread other types of malware.
The publication warns that the main danger of AnarchyGrabber is that most of its victims do not even know that they were infected. So, after launching the AnarchyGrabber3 executable file and changing the Discord client files, the trojan practically does not manifest itself and does not start again. That is, there is simply no malicious process that an antivirus could detect, and an infected computer still remains part of the botnet.
In fact, the only way to uninstall AnarchyGrabber3 is to uninstall the Discord client and reinstall it.