Expert On AnarchyGrabber Trojan Update Stealing Discord Clients Passwords

By   ISBuzz Team
Writer , Information Security Buzz | May 27, 2020 02:46 am PST

Hackers have updated the AnarchyGrabber trojan to a new version which is capable of stealing passwords and user tokens, disabling 2FA and spreading malware to a victim’s friends as well.

AnarchyGrabber is distributed for free on hacking forums and in YouTube videos and the trojan is used by cybercriminals on Discord who claim it is a game cheat, hacking tool or copyrighted software. Instead it modifies the Discord client’s JavaScript files to turn it into malware that can steal a victim’s Discord user token which is then used by an attacker to log into the popular chat service as the victim.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Dr. Muhammad Malik
Dr. Muhammad Malik , InfoSec Leader & Editor-in-Chief
May 29, 2020 9:47 am

This popular Trojan malware has been updated by hackers to modify the chat platform Discord client’s %AppData%\\m\\Discord\\[version]\\modules\\discord_desktop_core\\index.js file upon successful installation and this will give the malware ability to load JavaScript files. The updated AnarchyGrabber trojan has the capability to steal passwords and user tokens on this popular chat platform, spreading all kinds of malware to a victim’s friends and disabling 2FA as well.

The user can checked if they are infected by opening the %AppData%\\Discord\\[version]\\modules\\discord_desktop_core\\
\\index.js file and confirm it ONLY contain this code: “module.exports = require(‘./core.asar’);”. If any other code is present, the user is infected. In this case the user should uninstall Discord client from the machine, run the endpoint protection tools such as Anti-virus and install the updated version of Discord Client. It is best security practice to download the software from the official vendor website.

Last edited 3 years ago by Dr. Muhammad Malik
Michael Barragry
Michael Barragry , Operations Lead and Security Consultant
May 27, 2020 10:50 am

Although previous versions have been blocked by anti-virus, newer versions appear to have been able to bypass anti-virus signature detection. Clients which have a dependency upon Javascript are especially attractive targets for attackers given the versatility that Javascript offers.

Registered users should examine the Discord Javascript index.js file as outlined in the linked article for signs of infection. If infection is found to be present, users should consider their account as good as compromised. Additionally, all users should maintain an up to date anti-virus solution as part of their personal security best practice.

Last edited 3 years ago by Michael Barragry

Recent Posts

Would love your thoughts, please comment.x