![]() The malware steals the token from the below mentioned browsers and apps ![]() Figure 7: Default location of browsers local storage Figure 5: Procedure for killing monitoring appsĪfter killing the identified network monitoring application, it sends a POST request with the following JSON containing “ready to log” message to the Discord webhook url “ hxxps//discordcom/api/webhooks/954910299654328380/SKmJo86TbjSj905A8TODrBL2vC5uwsmlXWNzGsphdrRfvC_aAwwTfl02Pcrv2LW2oC8G ” Figure 6: JSON payload sent during the start of malware activityĪfter the initial network request, it starts the activity to steal cookies and tokens of Discord. Figure 4: Imported ModulesĪfter downloading the required modules, it searches for all the processes running in the system and kills if the process name has any one of the strings “http, wireshark, fiddler, packet” in their name.įor ease of understanding, images shown below are from the extracted 333.pyc file. When the original malware sample is executed, it verifies and downloads the required python modules through pip if not found in the user’s PC. Figure 2: Extracted files from binary Behavioral Analysis Figure 3: Startup logo pyc files (including 333.pyc) from the zlib archive (overlay). The compiled sample has the actual malicious python script 333.py in the overlay. Further investigation showed that the malware’s source python script is compiled using PyInstaller to create a Microsoft Visual C payload. Let’s now look at the analysisĪs the first step of analysis, we used “Detect It Easy” to identify the compiler and its Microsoft Visual C++. Upon analyzing the sample we found some interesting technique that describes how threat actors steal your credentials/any personal information stored in Discord a popular social networking app, by grabbing Discord’s authtokens. Recently we came across a Twitter feed that described a malware sample coded in Python and fairly new to have many detections (at the time of writing this blog) which attracted our interest in diving deeper into the sample.
0 Comments
Leave a Reply. |