Light

s4ltster / discord-trojan-research Goto Github PK

View Code? Open in Web Editor NEW

This project forked from kem0x/discord-trojan-research

0.0 0.0 0.0 65 KB

Research about recently wide spread discord trojan

JavaScript 100.00%

discord-trojan-research's Introduction

Discord Trojan Research

The trojan researched here is called Bby Stealer, It's a service sold for 35$ per life time license at a discord server (lol)
This turns out to be a skidded version of the open source trojan called Pirate Stealer, with some changes to make some stuff server sided.
Recently, This virus got so wide spread, the trick is to infect a user and use the infected user's token for illegal purposes, and also to infect other users on his friendlist.
Alot of my friends got infected with this virus, Including GewoonIraj, so i asked him for the infected index file, and he gave me the file and i decided to research it!.

Research:

Components:
- Loader: A JavaScript file packed with Nexe that is used to copy the infected index file, and also steals your token already.
- Payload: A JavaScript script that the loader appends to %AppData%\Discord\[version]\modules\discord_desktop_core\index.js.
This trojan's workflow is the following:
- When the victim runs the loader, it scans for all discord clients, copies the payload to the index file and then kills (closes) all the running discord clients, then restarts the closed clients again.
- The payload abuses electron's callbacks, to set some sort of hooks (detours) for the functions. Those functions are:
  - onBeforeRequest: To call FirstTime() function, This function is used if it's the first time for the user to launch his infected client, and it will log the user out of his account to make sure he relogins on the infected client.
  - onHeadersReceived: Used to bypass Content Security Policy.
  - onCompleted: Calls certain functions on specific requests to send the stolen data to the hacker.
The payload is an obfuscated JavaScript file, I deobfuscated it and made it fully readable, I also included the original obfuscated file in the repository as well as the deobfuscation script, added some comments to the files so make sure to check those out!
Deobfuscated Payload
Deobfuscation script for playload
Obfuscated Loader

Disclaimer:

This is just for research purposes, please do not use this code for any illegal purposes, this was done to help discord and electron.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.