A new malware is targeting Discord users by modifying the Windows Discord client so that it is transformed into a backdoor and an information-stealing Trojan.
The Windows Discord client is an Electron application, which means that almost all of its functionality is derived from HTML, CSS, and JavaScript. This allows malware to modify its core files so that the client executes malicious behavior on startup.
Discovered by researcher MalwareHunterTeam earlier this month, this malware is called "Spidey Bot" and when installed will add its own malicious JavaScript to the %AppData%Discord[version]modulesdiscord_modulesindex.js and %AppData%Discord[version]modulesdiscord_desktop_coreindex.js files.
Modified Discord index.js file
The malware will then terminate and restart the Discord app in order for the new JavaScript changes to be executed.
Once started, the JavaScript will execute various Discord API commands and JavaScript functions to collect a variety of information about the user that is then sent via a Discord webhook to the attacker.
Executing commands
The information that is collected and sent to the attacker includes:
Discord user token
Victim timezone
Screen resolution
Victim's local IP address
Victim's public IP address via WebRTC
User information such as username, email address, phone number, and more
Whether they have stored payment information
Zoom factor
Browser user agent
Discord version
The first 50 characters of the victims Windows clipboard
The contents of the clipboard is especially concerning as it could allow the user to steal passwords, personal information, or other sensitive data that was copied by the user.
After sending the information, the Discord malware will execute the fightdio() function, which acts as a backdoor.
Support the originator by clicking the read the rest link below.
