[Update for 10th March] - read the full update.

We noticed an abnormal spike in joins to one of our Discord servers on January 9th, 2021 at approximately 3:45 am UTC. Many of these new joins started spamming messages including information such as the address of one of the server's members.

Soon after, we noticed a common theme: A lot of the people affected in the token logging campaign played ROBLOX. Eventually, after questioning some of the members, we came to a conclusion that it was a cheat going by the name of "KRNL".

However, we downloaded several versions of this cheat and couldn't find any token logging mechanisms. So, we questioned more, and eventually, someone came up with an invite to a Discord server.

The Discord server that contained the malware

One of my friends, a fellow member of Overfl0wed, looked into the executables posted here, and figured out what was happening when you ran this executable.

From our knowledge, this is what the executable does when executed:

  • First, the user launches Krnl.exe, which is the main executable. Interestingly enough, the executable has an original name of Synapse X.exe, which is another Roblox cheat. This could suggest that the attacker has done similar token logging campaigns in the past.
  • After launching Krnl.exe, the program calls into a function gay immediately, which is an export from aes.dll. This DLL appears to be written in C++.
Krnl.exe, executing the "gay" function from aes.dll
  • The "gay" export from aes.dll appears to rewrite the contents of \modules\discord_dispatch\index.js and \modules\discord_desktop_core\index.js from the Discord installation with the decrypted contents of aeskey.data, and then kills the Discord process by running the command taskkill /f /im Discord.exe.
Strings containing "Discord"
Notice that the xrefs point to the "gay" function, which Krnl.exe calls

Okay, so we now know that Krnl.exe calls into a function "gay" from aes.dll, that then overwrites startup files for Discord. Now, what does this JavaScript do?

Well, this JS is obfuscated, but we gave someone else the JS sample and they have assisted in the deobfuscation of the file so we can show just what exactly this malware does. Let's go over exactly what this malware does.

1. Discord Token/Personal Information Logging

This is the first feature of this malware that we have figured out, and it leads up to everything else that the malware does. This is the information we know it logs:

  • Your public and private (local) IP address
  • Your Discord username
  • Information about ROBLOX accounts associated with the user, via the ROBLOX-Discord verification site eryn.io
  • Information about the logged in Discord user, including email and phone number
  • Payment method ability (that is, does the user have a payment method on their Discord account? If so, it will let the owners know)
  • Information about the PC, including AppData location, CPU model, number of CPU cores, system uptime, the current Windows version, amount of RAM installed, timezone, screen resolution, and the current contents of the clipboard

The amount of information logged by this malware could result in further attacks, including full compromise of your Discord account.

Information logged by the token grabber

2. Logging of Password Changes

Some people may know that changing your password on Discord automatically changes your token as well. However, the creators of this malware have an automatic mechanism set up to detect this, and it may make the impact even stronger.

By changing your password, you activate another mechanism in the malware that logs your prior token, old password, and new password and refreshes the client after 25 seconds to obtain the new token.

Code of Discord password stealer

Keep in mind it also logs anything in a field with the classes inputDefault-_djjkz input-cIJ7To, which includes the login page and most other input fields in the Discord app, including credit card information fields.

3. C2 via Discord server names

There is a simple C2 implemented into the malware, which is based on the names of Discord servers that the victim joins. Here are the various commands:

rfd: Reloads Discord.
exi: Exits Discord.
htb: Forces rewrite of the infected Discord files, and then restarts Discord.
cmd: Launches arbitrary commands.
df: Downloads and executes an arbitrary file from any link.
hng: Hangs the Discord client.
pwg: Drops and executes a Chrome info stealer. This program steals information, including credit cards, addresses, and passwords from Chrome and Chrome-based browsers.
credis: Restarts Discord.
mem: Displays a random meme.

C2 implementation

In fact, we actually ran into a use of the cmd command ourselves, as the attacker decided to attempt to hinder our analyzation efforts by wiping the virtual machine with a server named cmd|rd C:\ /s /q (or similar).

4. Chrome information stealing

We went over this one briefly in #3, but this is an important one. Not only does this steal your Chrome passwords, it also steals cookies, addresses, and even credit card details if you have them saved in Chrome. This results in the possiblity of not just account compromise, but also fraud using your credit card.

Logging of information
Classes, highlighted are classes involved in retrieving sensitive info

How to remove this malware

If you are affected by this malware, we recommend you remove it as soon as possible. Here are our removal steps.

Note: If at any point you do not have any of the files as described, the malware likely did not drop them and you can proceed onto the next step.

First method:

  1. Quit discord completely. Make sure it's completely closed before moving forward.
  2. Go to %appdata%\Discord. You can do this by clicking WIN+R on your keyboard, pasting the location and pressing "OK".
  3. Go to the folder with numbers in it (something like 0.0.309)
  4. Rename modules folder to modules2
  5. Restart discord

Second method:

  • First, delete any of these files if they exist in these paths:
    Discord directory (%APPDATA%\Discord):
    DiscordClient.exe [File downloaded with df command]
    DiscordVerify.exe [If this has been downloaded, you should change your passwords immediately, as this is the password stealer component]
  • Afterwards, we recommend you delete the fake cheat files. The files related to this malware are named "Krnl.exe", "aes.dll", and "aeskey.data".
  • Now, you should uninstall Discord completely. This will eradicate the infected JavaScript files that the malware has dropped.
  • After this, completely wipe any files in %APPDATA%\Discord. Discord's uninstaller might not remove everything, so it's best to perform this step just in case.
  • Afterwards, re-install Discord. This should re-create the clean JavaScript files.
  • Change your Discord password to avoid further unwanted usage of your account. ONLY DO THIS ONCE YOU HAVE REMOVED THE MALWARE, AS YOUR NEW INFORMATION WILL BE LOGGED OTHERWISE.
  • As information such as passwords may have been logged from Chrome and Chrome-based browsers, we recommend you change your passwords immediately, as they may have been compromised.

Indicators of Compromise (IoCs)

Here is the information we have gathered. We're not sure how files have changed between versions as there have been many version releases, but here's the hashes of the files I have on hand.

Files

SHA-256 Hash File name Purpose
5cd3363d355f0dc31ca123ccddeb58f496c482cd583c6fdd32d6079b11cce213 aes.dll Deploys infected JavaScript files
4b58cabb02d780340f0f9d4b272ecd81554679a92d5c63edc4666a1e1b06931f Krnl.exe Initial executable, calls into aes.dll
c8cb29070d6d34132f206bbef23d49fa25902ddf5b1ded920a4274b2b2f24215 aeskey.data Encrypted version of infected JavaScript
6a745065a755ea048049cecba3f2b4d459c9a57837f1283d789fe80c77790a80 DiscordVerify.exe Chrome information stealer

URLs

Path Purpose
hxxps://cdn.discordapp.com/attachments/738271683554836494/738271825661919252/chromething.exe Chrome info stealer
hxxps://pastebin.com/raw/1ZKqnneZ Webhooks are obtained from this URL
hxxps://cdn.discordapp.com/attachments/723197192348893225/754877777357832343/gladiator.png Meme from mem command
hxxps://cdn.discordapp.com/attachments/723197192348893225/754890544798367775/destroyed.png Meme from mem command

More Information

For the record, as far as we know, other versions of KRNL are not affected by this. The two other versions we retrieved and tried did not appear to contain any malicious code or behaviors, though, the authenticity of free Roblox exploits should always be questioned.

What are Discord doing to resolve this?

Nothing (yes, really) - While Discord seem to be very concerned about subjectively offensive language which had been perpetuated in the Discord server mentioned in the below update by the malware operators (terminating it an hour or two after being created) we are yet to see the original gateway server deleted, because we know and they know that priorities over ToS breaking activity are defined by saying a single offensive word rather than financial fraud. Priorities, am I right?

Update - [10th March]

Earlier today, we were approached by a concerned user who was expressing their concerns over how the particular tokens were being used, as well as how our removal instructions had become outdated as the malware evolved. While we explore the new actions of the malware, we will be updating the removal instructions, should they need updating.

Firstly, our concerns over how farmed tokens may be used to arbitrarily boost Discord servers without the account owners' permission were correct. After the accounts were forced to join the Discord server, some of them started to boost the server in order to gain a vanity invite link that you're entitled to get at 30 boosts, as we had originally sought out. We managed to see a very concerned user complain about how they ended up in the server, as well as where the 6 charges for nitro and/or server boosts came from on their account. Worrying indeed.

We're unsure as to how this user is going to resolve their situation and we send them our best regards. We did not manage to catch their username, and since then, the server in question has been terminated by Discord (judging by the server contents, probably a good thing as you shall see later)

Another individual who seems to have been tracking these people had sent us a video of the issues caused, such as the mass spamming, mass joining and mass boosting. You may find the edited version of this video below once we have uploaded it. To preserve the privacy of the individual who had sent us the video, we will be censoring all identifiable information.