A threat actor updated the AnarchyGrabber trojan into a new version that steals passwords and user tokens, disables 2FA, and spreads malware to a victim’s friends.
AnarchyGrabber is a popular trojan that is commonly spread for free on hacker forums and within YouTube videos that explain how to steal Discord user tokens.
Threat actors then distribute the trojan on Discord, where they pretend it’s a game cheat, hacking tool, or copyrighted software.
Once installed, past versions of the trojan modify the Discord client’s JavaScript files to turn it into a malware that would steal a victim’s Discord user token.
Using this stolen user token, the attacker can log in to Discord as the victim.
AnarchyGrabber3 released last week
Earlier this week, a threat actor released a modified AnarchyGrabber trojan that contains new and powerful features.
The malware is now called AnarchyGrabber3, and with this new variant, an attacker can also steal a victim’s plain text password and command an infected client to spread malware to a victim’s friends on Discord.
By stealing plain text passwords, the attackers can use them in credential stuffing attacks to compromise the victim’s accounts at other sites.
When installed, AnarchyGrabber3 will modify the Discord client’s %AppData%Discord[version]modulesdiscord_desktop_coreindex.js file to load other JavaScript files added by the malware.
As you can see from the modified script, when Discord is started, it will load a file called inject.js from a new 4n4rchy folder.
This file will then load another malicious javascript file called discordmod.js into the client.
The malicious scripts will then log the user out of the Discord client and prompt them to log in.
Once a victim logs in, the modified Discord client will attempt to disable 2FA on their account. The client then uses a Discord webhook to send the user’s email address, login name, user token, plain text password, and IP address to a Discord channel under the attacker’s control.
When connected to the Discord, the modified client will also listen for commands sent by the attacker. One of these commands tells hacked Discord clients to send a message to all of the logged in account’s friends that contain malware they wish to spread.
This spreader component makes it easier for the attacker to spread AnarchyGrabber3 to more targets or distribute other types of malware.
What makes this trojan so effective is that most people won’t even know they are infected.
After the AnarchyGrabber3 executable is run and modifies the Discord client files, it does not stay resident or run again.
Therefore, there is no malicious process for antivirus software to detect, the infected user will continue to be part of the botnet whenever they connect to Discord.
How to check if your Discord client is infected
If you are concerned that you may be infected, you can open the %AppData%Discord[version]modulesdiscord_desktop_coreindex.js file with Notepad and make sure there are no modifications to the files.
A normal, unmodified file, will have the following single line in it:
module.exports = require('./core.asar');If your client has anything else, and you have not intentionally made modifications, your client is most likely infected.
The only way to remove AnarchyGrabber3 is to uninstall the Discord client and install it again.
Thx to MalwareHunterteam for the sample.