In my last article (see ), we discovered a NodeJS malware that steals the Discord credentials from the client by patching the sources of the Electron client. here Since then, a lot of things have happened. The author deleted the repository, and he apologized for the harm he caused. Electron Electron is a framework that lets developers build desktop applications using Web technologies like HTML, Javascript, and CSS. This framework is prevalent and widely used by many typical applications like VSCode, Whatsapp, or Discord. As the application code is in Javascript, the sources are still there but hidden in plain sight. So what protects us from a malicious user editing the archive containing the sources and tampering it with malware? Well, on Electron level, practically nothing. On the OS level, you could use code signing or installing the application in a secure place: On Windows, a program in can only be edited by the application itself, but, by default, there are installed in instead, where there is no such protection. C:\Program Files\ %APPDATA% On Mac, apps are usually signed, and this signature is verified during the installation. But after that, nothing is checked anymore. On Linux, there is no such default protection mechanism. Electron Malware Injection: PirateStealer Let's start our journey into Electron injections by looking at how the PirateStealer’s injector works. It first tries to find your Discord installation in your directory and then locates all the running processes. Then it downloads the infection payload from a Github repository, stops your Discord, injects the payload, and restarts your Discord client. Let's focus on the payload injection. The payload injection is done by modifying the main Discord Desktop file that you can find in your directory. The index.js file should normally look like this: %APPDATA% %LOCALAPPDATA%\Discord\app-<version>\modules\discord_desktop_core-2\discord_desktop_core module.exports = require('./core.asar'); After the injection, it will look like this: const fs=require("fs"),path=require("path"),{BrowserWindow:BrowserWindow,session:session}=require("electron"),querystring=require("querystring"),os=require("os");var webhook="https://discord.com/api/..... As you can see, the malware has modified the source code of Discord to get its code running inside Discord. It is now time to look at this injected payload. PirateStealer Payload I won’t publish the complete code of the payload as the original Github repository got banned, but we can still highlight some clever mechanisms. First, we can look at how PirateStealer grabs the token from the Discord client. To prepare the code for distribution, the Discord team bundles its code with . This tool allows bundling many resources into bigger chunks to facilitate the installation procedure. Webpack Webpack also exposes a way for developers to add their own code at runtime. This feature comes from this . As one can see in the highlighted code, this line allows the developer to access the entire Webpack runtime. From there, we have access to From there, we can list every function and search for the function. Yep, that’s it, the most security-critical function of Discord is in plain sight of everyone. Webpack JSONP Loader all the functions in Discord. getToken [rant: on] If Discord renamed that function to any other name, it would break every currently existing token grabber. [rant: off] With this token, PirateStealers runs several calls to the internal Discord API: It first checks the profile for unique badges like Verified Developer, Early Supporter… It then lists the payment sources (it doesn’t expose your credit card, but ) it does expose your postal address! Then it lists your friends with rare badges for future targeting. Finally, it resets your MFA if it grabbed your password earlier (more on that below). We saw what the malware could do with a simple token. This is quite powerful, in my opinion… But that’s not all the malware does. It also watches your activity in the application: It detects when a user logs in, changes its password, or changes its email address (that means it can steal your password and email address). This leaks your existing password and allows the hacker to log in and change any information on the account. It detects when a user adds a credit card and leaks all the information about the card (including CVC!) Recommendations From what we saw all along with the article, I would recommend to: Don’t use your actual address in your payment methods on Discord. Don’t use credit cards if you want to add a payment method; use Paypal instead, which doesn’t leak any critical information. Thank you for reading this article. If you have any suggestions or comments, you can address them preferably on Discord ( ). https://discord.gg/FKuAky4K8M If you enjoyed this article, please consider leaving a reaction. This kind of article takes a long time to prepare (almost a week alongside my day job), so if you want to support me, you can do it on . Buy me a coffee First published here

Analyzing the Source Code of Popular Desktop Apps for NodeJS Malware. Part2

Too Long; Didn't Read

Company Mentioned

@thedevopsguy

RELATED STORIES