Skip to content ↓ | Skip to navigation ↓

Researchers found an updated version of AnarchyGrabber that steals victims’ plaintext passwords and infects victims’ friends on Discord.

Detected as AnarchyGrabber3, the new trojan variant modified the Discord client’s %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file upon successful installation. This process gave the malware the ability to load JavaScript files.

The AnarchyGrabber version flexed this new capability when its victim first started up Discord. At this stage, the threat loaded “inject.js” from a new 4n4rchy folder. This file loaded another script called “discordmod.js” that together with inject.js logged the user out and prompted them to log back in.

Once they logged back in, the new AnarchyGrabber variant attempted to disable two-factor authentication (2FA) on its victim’s account. It then got to work stealing its victim’s information including their user name, plaintext password and user token.

The malware also looked to spread its reach to other Discord users. As explained by Bleeping Computer:

When connected to the Discord, the modified client will also listen for commands sent by the attacker. One of these commands tells hacked Discord clients to send a message to all of the logged in account’s friends that contain malware they wish to spread.

This spreader component makes it easier for the attacker to spread AnarchyGrabber3 to more targets or distribute other types of malware.

Commanding victim’s discord clients to spread malware (Source: Bleeping Computer)

After modifying the Discord client, AnarchyGrabber did not run again. Such behavior made it difficult for antivirus software to detect the threat, as there were no malicious processes to spot. It also ensured that a victim would remain a part of the botnet whenever they interacted with Discord.

Fortunately, users can check to see if they’re infected by the malware. They can do this by opening the %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file in Notepad and confirming that it comes with “module.exports = require(‘./core.asar’);” as its single line of code. Any other code could be an indication that they’ve been infected.

If they do find additional code, they should uninstall and reinstall a clean version of the Discord client.