MalwareHunterTeam has discovered a new variant of the AnarchyGrabber malware that modifies Discord client files to avoid detection and steal user accounts every time someone connects to the popular chat service. The malware is distributed on hacking forums and YouTube videos to allow cybercriminals to steal user tokens for a logged in Discord user once it is executed. These user tokens are uploaded to a Discord channel under the control of the attacker, where they can be harvested and used to log in as victims. The original version of AnarchyGrabber comes in the form of an executable that is easily detected by security software and has the ability to steal only tokens during its execution. However, a newer version of the malware has been modified to avoid detection and establish persistence on a user's machine.
AnarchyGrabber2
To make malware detection by antivirus software and persistence more difficult, a hacker updated AnarchyGrabber to modify the JavaScript files used by the Discord client to inject its code on every run. The new version of the malware was dubbed AnarchyGrabber2, and once executed, it will modify Discord's index.js file to inject JavaScript created by its developer. New malware changes allow it to execute additional malicious JavaScript files every time a user opens Discord. Once a user where AnarchyGrabber2 is running on their system connects to Discord, the scripts use a webhook to post the victim's user token to the attacker's Discord channel with the message "Presented by The Token Grabber of anarchy." Unfortunately, even if the original malware executable is removed, the client files will already be changed. Security software has trouble detecting these client changes, allowing the code to remain on a user's machine without them knowing their accounts are being stolen. Until Discord decides to add client integrity to its software, Discord accounts will continue to be threatened by AnarchyGrabber2 and other malware that modifies client files. Via BleepingComputer