[Update for 10th March] - read the full update.
We noticed an abnormal spike in joins to one of our Discord servers on January 9th, 2021 at approximately 3:45 am UTC. Many of these new joins started spamming messages including information such as the address of one of the server's members.
Soon after, we noticed a common theme: A lot of the people affected in the token logging campaign played ROBLOX. Eventually, after questioning some of the members, we came to a conclusion that it was a cheat going by the name of "KRNL".
However, we downloaded several versions of this cheat and couldn't find any token logging mechanisms. So, we questioned more, and eventually, someone came up with an invite to a Discord server.
One of my friends, a fellow member of Overfl0wed, looked into the executables posted here, and figured out what was happening when you ran this executable.
From our knowledge, this is what the executable does when executed:
- First, the user launches
Krnl.exe, which is the main executable. Interestingly enough, the executable has an original name of
Synapse X.exe, which is another Roblox cheat. This could suggest that the attacker has done similar token logging campaigns in the past.
- After launching
Krnl.exe, the program calls into a function
gayimmediately, which is an export from
aes.dll. This DLL appears to be written in C++.
- The "gay" export from aes.dll appears to rewrite the contents of
\modules\discord_desktop_core\index.jsfrom the Discord installation with the decrypted contents of
aeskey.data, and then kills the Discord process by running the command
taskkill /f /im Discord.exe.
Well, this JS is obfuscated, but we gave someone else the JS sample and they have assisted in the deobfuscation of the file so we can show just what exactly this malware does. Let's go over exactly what this malware does.
1. Discord Token/Personal Information Logging
This is the first feature of this malware that we have figured out, and it leads up to everything else that the malware does. This is the information we know it logs:
- Your public and private (local) IP address
- Your Discord username
- Information about ROBLOX accounts associated with the user, via the ROBLOX-Discord verification site eryn.io
- Information about the logged in Discord user, including email and phone number
- Payment method ability (that is, does the user have a payment method on their Discord account? If so, it will let the owners know)
- Information about the PC, including AppData location, CPU model, number of CPU cores, system uptime, the current Windows version, amount of RAM installed, timezone, screen resolution, and the current contents of the clipboard
The amount of information logged by this malware could result in further attacks, including full compromise of your Discord account.
2. Logging of Password Changes
Some people may know that changing your password on Discord automatically changes your token as well. However, the creators of this malware have an automatic mechanism set up to detect this, and it may make the impact even stronger.
By changing your password, you activate another mechanism in the malware that logs your prior token, old password, and new password and refreshes the client after 25 seconds to obtain the new token.
Keep in mind it also logs anything in a field with the classes
inputDefault-_djjkz input-cIJ7To, which includes the login page and most other input fields in the Discord app, including credit card information fields.
3. C2 via Discord server names
There is a simple C2 implemented into the malware, which is based on the names of Discord servers that the victim joins. Here are the various commands:
rfd: Reloads Discord.
exi: Exits Discord.
htb: Forces rewrite of the infected Discord files, and then restarts Discord.
cmd: Launches arbitrary commands.
df: Downloads and executes an arbitrary file from any link.
hng: Hangs the Discord client.
pwg: Drops and executes a Chrome info stealer. This program steals information, including credit cards, addresses, and passwords from Chrome and Chrome-based browsers.
credis: Restarts Discord.
mem: Displays a random meme.
In fact, we actually ran into a use of the
cmd command ourselves, as the attacker decided to attempt to hinder our analyzation efforts by wiping the virtual machine with a server named
cmd|rd C:\ /s /q (or similar).
4. Chrome information stealing
We went over this one briefly in #3, but this is an important one. Not only does this steal your Chrome passwords, it also steals cookies, addresses, and even credit card details if you have them saved in Chrome. This results in the possiblity of not just account compromise, but also fraud using your credit card.
How to remove this malware
If you are affected by this malware, we recommend you remove it as soon as possible. Here are our removal steps.
Note: If at any point you do not have any of the files as described, the malware likely did not drop them and you can proceed onto the next step.
- Quit discord completely. Make sure it's completely closed before moving forward.
- Go to %appdata%\Discord. You can do this by clicking WIN+R on your keyboard, pasting the location and pressing "OK".
- Go to the folder with numbers in it (something like 0.0.309)
- Rename modules folder to modules2
- Restart discord
- First, delete any of these files if they exist in these paths:
Discord directory (%APPDATA%\Discord):
DiscordClient.exe [File downloaded with df command]
DiscordVerify.exe [If this has been downloaded, you should change your passwords immediately, as this is the password stealer component]
- Afterwards, we recommend you delete the fake cheat files. The files related to this malware are named "Krnl.exe", "aes.dll", and "aeskey.data".
- After this, completely wipe any files in
%APPDATA%\Discord. Discord's uninstaller might not remove everything, so it's best to perform this step just in case.
- Change your Discord password to avoid further unwanted usage of your account. ONLY DO THIS ONCE YOU HAVE REMOVED THE MALWARE, AS YOUR NEW INFORMATION WILL BE LOGGED OTHERWISE.
- As information such as passwords may have been logged from Chrome and Chrome-based browsers, we recommend you change your passwords immediately, as they may have been compromised.
Indicators of Compromise (IoCs)
Here is the information we have gathered. We're not sure how files have changed between versions as there have been many version releases, but here's the hashes of the files I have on hand.
|SHA-256 Hash||File name||Purpose|
|4b58cabb02d780340f0f9d4b272ecd81554679a92d5c63edc4666a1e1b06931f||Krnl.exe||Initial executable, calls into aes.dll|
|6a745065a755ea048049cecba3f2b4d459c9a57837f1283d789fe80c77790a80||DiscordVerify.exe||Chrome information stealer|
|hxxps://cdn.discordapp.com/attachments/738271683554836494/738271825661919252/chromething.exe||Chrome info stealer|
|hxxps://pastebin.com/raw/1ZKqnneZ||Webhooks are obtained from this URL|
For the record, as far as we know, other versions of KRNL are not affected by this. The two other versions we retrieved and tried did not appear to contain any malicious code or behaviors, though, the authenticity of free Roblox exploits should always be questioned.
What are Discord doing to resolve this?
Nothing (yes, really) - While Discord seem to be very concerned about subjectively offensive language which had been perpetuated in the Discord server mentioned in the below update by the malware operators (terminating it an hour or two after being created) we are yet to see the original gateway server deleted, because we know and they know that priorities over ToS breaking activity are defined by saying a single offensive word rather than financial fraud. Priorities, am I right?
Update - [10th March]
Earlier today, we were approached by a concerned user who was expressing their concerns over how the particular tokens were being used, as well as how our removal instructions had become outdated as the malware evolved. While we explore the new actions of the malware, we will be updating the removal instructions, should they need updating.
Firstly, our concerns over how farmed tokens may be used to arbitrarily boost Discord servers without the account owners' permission were correct. After the accounts were forced to join the Discord server, some of them started to boost the server in order to gain a vanity invite link that you're entitled to get at 30 boosts, as we had originally sought out. We managed to see a very concerned user complain about how they ended up in the server, as well as where the 6 charges for nitro and/or server boosts came from on their account. Worrying indeed.
We're unsure as to how this user is going to resolve their situation and we send them our best regards. We did not manage to catch their username, and since then, the server in question has been terminated by Discord (judging by the server contents, probably a good thing as you shall see later)
Another individual who seems to have been tracking these people had sent us a video of the issues caused, such as the mass spamming, mass joining and mass boosting. You may find the edited version of this video below once we have uploaded it. To preserve the privacy of the individual who had sent us the video, we will be censoring all identifiable information.