Security researchers find a new malware called “NitroHack” that modifies the Discord client for Windows into an information-stealing trojan
The cat and mouse between the malware authors and the security researchers goes on without a break. As soon as the researchers find a new strain of malware, the hackers and cybercriminals immediately turn to their next target. And in this case, it is Microsoft’s own Discord Client for Windows that they targeted to insert a new malware called NitroHack.
While the NitroHack malware is not so sophisticated as such. It just steals information from the user as trojans are supposed to do. But the way NitroHack operates is a different game altogether. The researchers at MalwareHunterTeam found that the NitroHack modifies the Discord client for Windows itself into an information stealing trojan.
The researchers observed malicious actors abusing DM’s from infected Discord users as a distribution vector. A little digging by the team revealed that cybercriminals used these accounts as a social engineering bait by informing the victim’s friends that they could obtain free access to the premium Discord Nitro service by downloading a file. Once, the victim’s friends caught the bait, the users infected themselves with the NitroHack malware.
Once executed, the NitroHack malware wrote a new code to the Discord client for Windows “%AppData%\\Discord\0.0.306\modules\discord_voice\index.js” file as well as attempted to change the same file in both the Discord Canary and Discord Public Test Build clients.
A report on the Bleeping Computer explained how NitroHack worked. The report says that the malware acted in this matter to establish persistence and to steal a user’s account tokens:
To steal these tokens, NitroHack will copy browser databases for Chrome, Discord, Opera, Brave, Yandex Browser, Vivaldi, and Chromium and scan them for Discord tokens. When done, the list of found tokens will be posted to a Discord channel under the attacker’s control.
Once it established itself, NitroHack then proceeds to connect to the “https://discordap[.]com/api/v6/users/@me/billing/payment-source” URL.” It is for this end result that NitroHack authors have worked so conceitedly to conceal it in with Discord client. Once it has access to the payment source URL, it can then steal the web client users’ payment card information and send it back to the malware author/maker’s command and control server.