One of the most frequently used messenger services out there is Discord among others. Lately, they have been in trouble due to their Microsoft Windows app being infected with malware. Since it is built using an opensource framework named Electron.
For those who don’t know Electron relies heavily on the 3 basic web languages: HTML, CSS & JS. However, this also opens up the potential for the code to be compromised with which exactly happened, in this case, turning the application into a piece of malware.
Tweet from MalwareHunterTeam:
Anyone knows anything about a Discord malware called "Spidey Bot"? It seems a new one to us…
cc @VK_Intel— MalwareHunterTeam (@malwrhunterteam) October 9, 2019
It was first reported by MalwareHunterTeam on Twitter and has been called both Spidey Bot and BlueFace. The information collected by it includes a mix of sensitive and relatively unharmful information.
Some of the examples of the former include the first 50 characters present in the Window’s clipboard which could reveal confidential information such as passwords in some cases; personally identifiable information such as one’s phone number, name and email address; the version of the discord app which could be useful in exploiting bugs in old versions and the victim’s local & public IP addresses along with their time zone which could give potentially away their location.
The latter on the other hand comprises the screen resolution of the victim’s device, the browser user agent and the zoom factor.
In order to check if you were infected, there’s a simple process to follow:
- Open the %AppData%\Discord\\modules\discord_modules\index.js file in a code editor such as notepad and make sure that it only contains “module.exports = require(‘./discord_modules.node’);” as a single line.
- Similarly open the %AppData%\Discord\\modules\discord_desktop_core\index.js file and verify that it also contains only “module.exports = require(‘./core.asar’);” as a single line.
If the above two checks are cleared, it means that you haven’t been infected by this particular malware. However, if you see an additional code like in the picture below, it is best to re-install the discord app since the new code represents the malicious JavaScript the attackers have been adding.
To conclude, Discord has responded at the moment but not in the manner we’d expect. This was followed by users complaining about the lack of intent present in their tone which although was followed by a reconciliatory message of ongoing investigations.
We could only urge our readers to take suitable precautions, one of them relevant here being regularly checking your installed software for any modified core files through anti-virus software.
Unfortunately, there's not much any app can do to prevent something like this. However, you should always be cautious about clicking strange links and even more suspicious of downloading unknown software from unverified sources. Doing so could lead to things like this.
— Discord (@discord) October 24, 2019
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.