The new version of the AnarchyGrabber malware has actually turned Discord (a free messenger with support for VoIP and video conferencing) into an account thief. The malware modifies Discord client files in such a way as to steal user accounts when logging into the Discord service and at the same time remain invisible to antiviruses.
Information about AnarchyGrabber is spreading on hacker forums and YouTube videos. The essence of the application is that during the launch, the malware steals the user tokens of the registered Discord user. These tokens are then uploaded back to the Discord channel under the attacker's control, and can be used to log in with someone else's user credentials.
The initial version of the malware was distributed as an executable file that was easily detected by antivirus programs. To make AnarchyGrabber harder to detect by antiviruses and increase survivability, the developers have updated their brainchild, and now it changes the JavaScript files used by the Discord client to inject its code every time it runs. This version received a very original name AnarchyGrabber2 and, when launched, injects malicious code into the file "%AppData%Discord[version]modulesdiscord_desktop_coreindex.js".
After running AnarchyGrabber2, the modified JavaScript code from the 4n4rchy subfolder will appear in the index.js file, as shown below.
With these changes, additional malicious JavaScript files will also be loaded when Discord starts up. Now when the user logs into the messenger, the scripts will use a webhook to send the user's token to the attacker's channel.
What makes this modification of the Discord client such a problem is that even if the original malware executable is detected by the antivirus, the client files will already have been modified. Therefore, the malicious code can remain on the machine for an arbitrarily long time, and the user will not even suspect that his account information has been stolen.
This is not the first time that malware has modified Discord client files. In October 2019, it was reported that another malware was also modifying client files, turning the Discord client into an information-stealing Trojan. At the time, the developer company Discord stated that it would look for ways to fix this vulnerability, but the problem, apparently, has not yet been resolved.
Until Discord adds a client file integrity check at startup, Discord accounts will continue to be at risk from malware that makes changes to that messenger's files.
Source: 3dnews.ru