A revamped version of the AnarchyGrabber Trojan is currently spreading on the Discord chat platform. With the key of big troubles like the theft of identifiers and password, deactivation of double factor authentication or even contamination by malware.
“An attacker can also steal the victim’s plain text password and order an infected client to spread malware to the victim’s friends on Discord. By stealing passwords in plain text, attackers can use them in stuffing attacks to compromise the victim’s accounts on other sites, “says Bleepingcomputer. “Once a victim logs in, the modified Discord client attempts to disable dual factor authentication on their account. A Discord webhook is used to send the email address, connection name, user token, plain text password and user’s IP address to a discord channel controlled by the attacker ” .
An command to check for AnarchyGrabber3 infection
If by opening the file “% AppData% Discord [version] modules discord_desktop_core index.js ”in Notepad we face this message we must uninstall Discord as soon as possible and before reinstalling it thoroughly clean its system. (credit: Bleepingcomputer)
Control over the machine then allows an attacker to execute remote commands to distribute massively to the victim’s contact list, other malicious software. The main problem is that users cannot necessarily see that they have been hacked. “Once the AnarchyGrabber3 executable is run and modifies the Discord client files, it does not remain resident or no longer runs. Consequently, no malware detects malicious processes, the infected user will continue to be part of the botnet each time he connects to Discord, ”notes Bleepingcomputer.
In order to check that your system is not infected with AnarchyGrabber3, you must open the file “% AppData% Discord [version] modules discord_desktop_core index.js “in Notepad to ensure that no changes have been made to it. Thus, a normal unmodified file will only show the following line: “module.exports = require (‘./ core.asar’); “