Overview
On September 17, 2021, at around midnight HAST, I recieved a text from my younger brother that his Discord account had been broken into. Thinking that it wouldn’t be a terribly big deal, I told him to e-mail the Discord support team and wait for their office hours for the earliest response possible. Within four hours, the officially verified Fruitbat Factory Discord server was destroyed by someone demanding a $350 ransom paid in Bitcoin, and I had to spend the next two days drowning in research and playing messenger boy to many different groups in need of information. Here are the results of my findings.
Malware Reviews
This attack comes in the form of a link that will take you to download a .exe file disguised as a game jam indie game (short, typically themed games developed in a short time frame). This is a Trojan virus: if you download and run this file, it will install spyware that will log your keystrokes and attempt to steal your Discord account credentials. Two-factor authentication (2FA) will not protect against this variant: this one attempts to steal a backup 2FA code to get in to your account without your password.
This variant is the most well-documented, as far as I can tell; here is a thread from someone at Fruitbat Factory on the subject (archived), transcribed below:
@everyone Related to the ongoing socially engineered malware attacks, if you end up unfortunately executing code given to you by an attacker, here’s what you need to know:
- Disconnect internet from your PC RIGHT AWAY – if you do this fast enough, you may be able to stop your accounts from getting stolen.
- Change your Discord password RIGHT AWAY, on [a different device]. This is their first priority, and unless you act immediately, you will lose access and it will be very slow to recover via support.
- Change your email and other critical passwords on [a different device].
This malware is extremely advanced, won’t be caught by any existing virus scanners, and will install a downloader, likely a crypto miner, a keylogger, will harvest logins from all your browsers, and who knows what else. If you are exposed and didn’t immediately disconnect internet, expect that all of your existing logins have been compromised – and any changes you make on PC will be immediately leaked as well.
- Do a clean reinstall of Windows [or your current operating system]. A system restore is not safe enough.
- While that happens, report any stolen accounts, and keep changing the rest of your passwords.
- After reinstall, change all your passwords one more time, and you should be safe.
If you are notified of any suspicious login attempts to any account, immediately attempt to recover it with password recovery before your logins, emails, and other support details are changed. If you lose access to any accounts, do your best to notify your friends who may be vulnerable to further attacks through that attack.
And a write-up on the virus itself, archived and transcribed as follows:
Well, now that things have calmed down, an explanation of what actually happened. This was something unlike any attack I’ve seen before, so everyone should be wary going forward. It started when a friend of mine (who isn’t relevant to name here) got chatted up by a stranger (a human), and got talked into checking out their “game.” The game stole their Discord account and probably [did] all the other nice things that happened to me too. Said friend is quite creative, and I’ve checked out various creative projects of theirs, so when they DM’d me about their new game, talking in the same manner they always do, it was enough to pass my “reasonable doubt” threshold of anything possibly being wrong, and I fell for the exact same thing. Instantly lost control of Discord account, and they tried to steal some other things too.
The program included a downloader and crypto miner and was extremely cutting edge, doesn’t show up in any scanners. Even scanning the .exe for viruses shows nothing. I even talked to a white hat about trying to do the same thing the original software did to extract a Discord token for direct login, so I could get my account back, but it had even accounted for that and the tokens had been removed. This is pretty much industrial espionage level stuff. He said it’s the most advanced discord malware he’s ever seen. I had to reinstall Windows to clean it up. The important part that should make everyone really paranoid is that this isn’t like the usual bot spam attacks – it’s done by humans.
Plus details on an attempted deconstruction via debugger, archived and transcribed as follows:
Doing some analysis now, it’s absurd, the thing BROKE MY DEBUGGER, it got a lot of weird misplaced bytes in the exe header and a tentative of buffer overflow that didn’t work thankfully because I was in Linux, so the kernel just crashed -.-
This thing is a Node Executibles front; [has] a token stealer, the code to break into passwords kepts in lots of places on your OS (covers every browser); it also monitors your network; hooks NTOpenkey, WSASend, WSARrecv; AND EVEN [creates processes]. Oh yeah, it also hooks to your key input, so call it a keylogger too. It is designed to break debuggers and try to fuck with you from inside the debugger without executing. It is a complete Security Stealing Ware. Didn’t find anything that could point tentatives to mess with your BIOS/firmware (in these cases, even reinstalling the os may not be secure enough lol)
It’s not uncommon for malwares like these to tear debuggers apart, but it’s not something easily done from scratch. Attackers using programs like those have some experience with making attacks like these. I haven’t collected enough data to confirm this, but anecdotally, accounts with badges seem to be targeted more frequently than ones without badges.
Redirect Phishing
Redirect phishing works in a simple way, but it is effective enough to still compromise your account. Scammers will send you a broken image, prompting you to open the link in your browser to see if it works in there. The image URL will redirect to a fake Discord login page in the hopes that you will log in, handing over your account information. You are not “forced” to log in or hand over your info just by opening this link – this kind of attack simply hopes that you will log in with the fake Discord page before you realize something’s wrong. The potential risk here is still quite great, but it is nowhere near as bad as tweets like these make them out to be.
“Free XYZ” Gift Codes
Another common attack comes in the form of a QR code for a gifted Discord Nitro subscription or game. This one is simpler and relies more on social engineering, as the message sent with the QR code attempts to disguise the QR code when it is actually a phishing link appearing to ask you to log in to Discord. From there, the scammers will log in to your account and change your login info. The official Discord help desk states that login QR codes only last for two minutes once generated, so if you have any suspicions, you can always wait it out.
Staying Educated
Scam attacks like these have changed alongside the Internet, but fraud and theft have been around for far longer. There are many resources out there on similar types of attacks carried out in different fields, and as much of the advice still applies, they can be useful tools in this context as well. Here are a few resources with good information on similar schemes:
- “I Told You NOT To Click The Phishing Link, But You DID! Now What?” by Atomic Shrimp
- “Scam Victim Story: Why do People Fall for SCAMS Anyway?” by Atomic Shrimp
- “Phishing attacks are SCARY easy to do!! (let me show you!)” by Network Chuck – this video lays bare some of the tactics, tricks, and tools attackers may use
Precautions
To protect yourself from these attacks, do not click on strange links, scan unknown QR codes, or download and run suspicious files. They can’t get into your account if you don’t click, scan, or install anything – scammers and hackers require a substantial amount of social engineering in order to make their attacks work. Once these scammers have access to your account, they forward the same scam to others on the account’s friend list, just like how old chain letters operated. Make sure you know exactly you’re talking to, and ask questions if you’re not sure if your friends are the ones using their accounts. Phishing.org has an excellent guide on what to look for in order to spot scam messages.
Stay on your toes: watch out for online scams similar to these and others that aren’t always so obvious. Be skeptical and verify anything if it strikes you as even slightly odd; if it sounds too good to be true, then it probably is, especially if you didn’t initially prompt them. No matter who someone says they are, you should never give anyone your password, password recovery codes, 2FA code, and so on.
For additional safety, you can also try the following:
- using another means of communication (DMing the sender’s Twitter, for example), ask the sender if the file they sent over Discord was really sent by them;
- plug the message body text into a search engine to see if it’s taken from a script used in scam attacks;
- ensure your antivirus software is running, updated, and fully operational;
- tell your friends to never send you .exe files through Discord;
- never log in to Discord without making sure that the URL is on official Discord websites;
- enable multi-factor/two-factor authentication;
- change your password if it is weak, similar to, or the same as any other passwords you use, especially if it is similar to the e-mail address you use for Discord (the University of Hawaii has some good tips on creating strong, memorable passwords);
- disable your browser’s “save password” feature and switch to a dedicated password manager program, as the methods many browsers use to store your credentials are insecure;
- and close DMs from servers and users you don’t know well.
On Clicking the Links
This is such a frustratingly, frequently mishandled issue that it deserves its own section. I don’t think I can stress it enough when I say do not click on suspicious links or run suspicious programs, even if you’re just trying to check if they’re the real deal! It does not matter if you open them in a private tab – your browser still accesses the page and alerts the scammers that their trick made it far enough for someone to click. It does not matter if you open them in a virtual machine or sandbox environment – programs can still overclock your hardware to dangerous extremes with permanent consequences. It does not matter how vigilant you think you may be when you open or run questionable files and links – by accessing and running dodgy files from potentially malicious sources, you invite the possibility of a “zombified” or bricked PC, exposed private information, and even damaged hardware from overexertion. There are safer ways to determine if messages are illegitimate that do not involve inviting permanent damage to your computer.
Remedial Actions
If you or someone you know has recently had an account compromised by these scams, send an e-mail to Discord Support ASAP and inform all your friends that the account has been stolen. Check to see if any of your 2FA backup codes work (search your computer for “discord_
Staying Updated
This page is the result of many people working on dismantling files and researching individual reports, and while I enjoy the idea of staying on the cutting edge of information, I’m just one guy with limited time. If you found this article particularly useful, please consider tipping me via Ko-Fi. You may also e-mail me or Direct Message me on Twitter to report any updates or additional information on these events, should something new arise. I try to make my best-faith effort to keep information up-to-date and accurate and gladly welcome anything to improve this.
If you want to share this article, you may do so using the permanent link and may distribute a short passage taken verbaitim to describe this page.