Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Discord. Show all posts

Navigating the Danger Zone: Discord’s Battle Against Malware

Navigating the Danger Zone: Discord’s Battle Against Malware

In a recent six-month investigation, cybersecurity firm Bitdefender discovered a disturbing trend: fraudsters are using Discord, a popular communication platform, to distribute malware and carry out phishing attacks.

The Rise of Malicious Links

The research, in which Bitdefender shows over 50,000 harmful links discovered on Discord, demonstrates the platform's rising vulnerability to cyber threats.

Types of Malicious Links

Malware Distribution: Cybercriminals use Discord to distribute malicious software (malware) to unsuspecting victims. These malware strains can range from spyware and ransomware to keyloggers and remote access Trojans. By enticing users to click on seemingly harmless links, attackers gain unauthorized access to their systems.

Phishing Attacks: Discord is also a playground for phishing campaigns. Scammers create fake login pages or impersonate legitimate services, tricking users into revealing sensitive information such as login credentials, credit card details, or personal data. Phishing links often masquerade as enticing offers or urgent notifications.

Geographical Impact

The study found that users in the United States are particularly targeted, accounting for 16.2% of the threats. However, other countries—such as France, Romania, the United Kingdom, and Germany—are also affected. Cybercriminals cast a wide net, exploiting language barriers and cultural differences to maximize their reach.

Common Scams

One prevalent scam involves promises of free Discord Nitro—a premium subscription service. Users receive messages claiming they’ve won a free upgrade to Discord Nitro, enticing them to click on a link. Unfortunately, these links lead to phishing sites or initiate malware downloads. Users must exercise caution and verify the legitimacy of such offers.

Protecting Yourself

As a Discord user, here are essential steps to safeguard against these threats:
  • Be Skeptical: Treat unsolicited messages with suspicion, especially if they promise freebies or urgent alerts. Verify the sender’s identity before clicking any links.
  • Hover Before You Click: Hover your mouse pointer over a link to preview the URL. If it looks suspicious or doesn’t match the expected destination, avoid clicking.
  • Enable Two-Factor Authentication (2FA): Strengthen your account security by enabling 2FA. This adds an extra layer of protection against unauthorized access.
  • Stay Informed: Keep an eye on security news and updates related to Discord. Awareness is your best defense.

Discord Users' Privacy at Risk as Billions of Messages Sold Online

 

In a concerning breach of privacy, an internet-scraping company, Spy.pet, has been exposed for selling private data from millions of Discord users on a clear web website. The company has been gathering data from Discord since November 2023, with reports indicating the sale of four billion public Discord messages from over 14,000 servers, housing a staggering 627,914,396 users.

How Does This Breach Work?

The term "scraped messages" refers to the method of extracting information from a platform, such as Discord, through automated tools that exploit vulnerabilities in bots or unofficial applications. This breach potentially exposes private chats, server discussions, and direct messages, highlighting a major security flaw in Discord's interaction with third-party services.

Potential Risks Involved

Security experts warn that the leaked data could contain personal information, private media files, financial details, and even sensitive company information. Usernames, real names, and connected accounts may be compromised, posing a risk of identity theft or financial fraud. Moreover, if Discord is used for business communication, the exposure of company secrets could have serious implications.

Operations of Spy.pet

Spy.pet operates as a chat-harvesting platform, collecting user data such as aliases, pronouns, connected accounts, and public messages. To access profiles and archives of conversations, users must purchase credits, priced at $0.01 each with a minimum of 500 credits. Notably, the platform only accepts cryptocurrency payments, excluding Coinbase due to a ban. Despite facing a DDoS attack in February 2024, Spy.pet claims minimal damage.

How To Protect Yourself?

Discord is actively investigating Spy.pet and is committed to safeguarding users' privacy. In the meantime, users are advised to review their Discord privacy settings, change passwords, enable two-factor authentication, and refrain from sharing sensitive information in chats. Any suspected account compromises should be reported to Discord immediately.

What Are The Implications?

Many Discord users may not realise the permanence of their messages, assuming them to be ephemeral in the fast-paced environment of public servers. However, Spy.pet's data compilation service raises concerns about the privacy and security of users' conversations. While private messages are currently presumed secure, the sale of billions of public messages underscores the importance of heightened awareness while engaging in online communication.

The discovery of Spy.pet's actions is a clear signal of how vulnerable online platforms can be and underscores the critical need for strong privacy safeguards. It's crucial for Discord users to stay alert and take active measures to safeguard their personal data in response to this breach. As inquiries progress, the wider impact of this privacy violation on internet security and data protection is a substantial concern that cannot be overlooked.


Hackers Breach Steam Discord Accounts, Launch Malware


On Christmas Day, the popular indie strategy game Slay the Spire's fan expansion, Downfall, was compromised, allowing Epsilon information stealer malware to be distributed over the Steam update system.

Developer Michael Mayhem revealed that the corrupted package is not a mod installed through Steam Workshop, but rather the packed standalone modified version of the original game.

Hackers breached Discord

The hackers took over the Discord and Steam accounts of one of the Downfall devs, giving them access to the mod's Steam account.

Once installed on a compromised system, the malware will gather information from Steam and Discord as well as cookies, saved passwords, and credit card numbers from web browsers (Yandex, Microsoft Edge, Mozilla Firefox, Brave, and Vivaldi).

Additionally, it will search for documents with the phrase "password" in the filenames and for additional credentials, such as Telegram and the local Windows login.

It is recommended that users of Downfall change all significant passwords, particularly those associated with accounts that are not secured by Two-factor authentication ( (2-factor authentification).

The virus would install itself, according to users who received the malicious update, as UnityLibManager in the /AppData/Roaming folder or as a Windows Boot Manager application in the AppData folder.

About Epsilon Stealer

Epsilon Stealer is a trojan that steals information and sells it to other threat actors using Telegram and Discord. It is frequently used to deceive players on Discord into downloading malware under the pretence of paying to test a new game for problems. 

But once the game is installed, malicious software is also launched, allowing it to operate in the background and harvest credit card numbers, passwords, and authentication cookies from users.

Threat actors could sell the stolen data on dark web markets or utilize it to hack other accounts.

Steam strengthens security

Game developers who deploy updates on Steam's usual release branch now need to submit to SMS-based security checks, according to a statement made by Valve in October.

The decision was made in reaction to the growing number of compromised Steamworks accounts that, beginning in late August, were being used to submit dangerous game builds that would infect players with malware.


Discord's Security Challenge: APTs Enter the Malware Mix

 


APT groups continue to use Discord to spread malware and exfiltrate data, it is being commonly used by hackers to distribute malware and as a platform to steal authentication tokens. Consequently, Discord is serving as a breeding ground for malicious activity. 

Considering a recent report by Trellix, it has been revealed that Discord is now being used by APT (advanced persistent threat) hackers, too, who target critical infrastructure through the platform to steal information. 

Even though cybercrime has grown in magnitude and relevance in recent years, Discord has not been able to implement effective measures. This has prevented Discord from being able to deter cybercrime, deal with the issue decisively or at least limit its potential impact. Online gaming and digital communication have become part of a household name due to Discord. This is a platform that is becoming increasingly popular among gamers, friends, and families for chatting, sharing, and collaborating. 

A lot of people, including millions of people worldwide, use the Discord program as a way to communicate with one another. 

Discord Viruses: What Are They?


The Discord virus is a phrase used to describe a group of malware programs which can be found in the Discord app or distributed through the Discord platform. Discord users are frequently fooled by cybercriminals by the use of various tricks so that their devices can be infected by a virus which will cause devastating effects on the users' devices. 

In Discord, users will most likely find a Remote Access Trojan (RAT), which is one of the most common types of malware. It is most commonly found that hackers spread them by sending links that contain malicious codes, and when they gain administrative rights over a user's device, they can track their activity, steal data and manipulate settings without knowledge. 

In Discord, users can also find RATs, spyware, adware, and other forms of malware that can potentially be installed along with the RAT. These can also be used as part of DDoS attacks as a means to spread viruses further into a user's system. 

Trellix researchers have recently discovered a new sample of malware targeted specifically at crucial Ukrainian infrastructure, which has put the cybersecurity landscape at a pivotal point. The APT activity in Discord has changed significantly in the last few months, as the latest platform to be targeted is the Advanced Persistent Threat (APT). 

There are three ways in which threat actors exploit Discord: they use its content delivery network (CDN) to distribute malware, they modify the Discord client to obtain passwords, and they exploit its webhook mechanism to gain access to the victim's data. This is made possible because Discord's CDN was commonly used to deliver malicious payloads on a victim's PC. 

As these files are sent from the trusted domain 'cdn.discordapp.com', malware operators can avoid detection by anti-virus software. The data from Trellix shows that more than 10,000 malware samples rely on Discord's CDN to load their second-stage payloads on their systems, mostly malware loaders as well as generic loader scripts.

In addition to RedLine stealer, Vidar, AgentTesla, and zgRAT, Discord's CDN also fetched several other payloads through it. There is one method, which is popular among users, to upload files that can later be downloaded, namely Discord’s Content Delivery Network (CDN). There seems to be no complicated method to this attack. 

The perpetrator fabricates a Discord account so that they can transfer a malicious file, which will then be shared discreetly through a private message. This method appears to be quite straightforward. The goal is to make the "second stage" available for download by simply copying and pasting the file's URL into a GET request which then allows it to be downloaded using the link that was handed to the user upon uploading the file.  

Identifying malware on Discord


Antiviruses should be able to detect malicious software including Discord viruses but keep an eye out for any significant changes to how the system works. For instance, pop-ups could indicate that the device has been infected with adware. Often, system performance changes can serve as a signal that something’s up. 

Whether a user's computer starts crashing more frequently, simply slows down, or the browser starts misbehaving, they should check your system for viruses. Outgoing traffic is a little harder to notice but an unexpected increase in data usage or network activity could indicate a malware infection. 

Some types of malware, such as botnets, use your device’s resources to carry out tasks like sending spam or carrying out denial-of-service (DoS) attacks. The usage of Discord by APT groups is a recent development, signalling a new and complex dimension of the threat landscape. 

While APTs may employ Discord for exploration or early-stage activities, they may still rely on more secure methods at later stages. However, general malware poses a different challenge. From trojans to ransomware, they have been using Discord’s capabilities for years, extending the range of business threats. 

To ensure the proper detection of these malicious activities and safeguard systems, monitoring and controlling Discord communications has become essential, even to the extent of blocking them if necessary.

Rising Concerns as Discord.io Data Breach Compromises 760,000 Users

 

Although digital companies have multiple data protections in place to safeguard their customers' information, hackers continue to find ways to circumvent them and gain access to sensitive data even though they have multiple data protections in place to safeguard customer data. 

Data breaches have become more common in recent years, despite an increased focus being placed on cybersecurity in recent years. There has been another data breach at Discord.io this time, unfortunately, as the company is now one of the victims of such attacks. Learn about the types of data that hackers have access to as well as what steps are being taken by the company to protect this data. 

There has been a massive data breach at a popular service used to create custom links for Discord channels which allows people to create custom links for their channels. The service has now announced that it will be shutting down operations for the time being. 

A major breach of Discord.io's database occurred on the night of August 14, and large swaths of user data were stolen as a result. Discord announced the breach on Tuesday. As TechRadar reported in its article about the breach, more than 760,000 members of the company had their information compromised by the breach, though the company did not reveal this number in its update.

Discord.io is a third-party service that allows users to create custom invitations to their Discord channels, which can then be shared by the channel owner with their friends and viewers. It is estimated that over 14,000 users have registered on the service's Discord server, which is where most of the community exists. 

As of yesterday, a person named 'Akhirah' has started offering the Discord.io database for sale on the newly launched Breached hacking forums. A threat actor shared four records from the database as proof that he had stolen data. The new Breached forums are being hailed as the rise of a popular cybercrime forum that used to be a place where people would sell and leak data stolen from compromised databases. 

A member's username, email address, billing address (which only a small number of people) and a salted and hashed password (which only a small number of people) were among the most sensitive data that were compromised in the breach. 

Discord.io has officially confirmed that they were breached via a notice posted to their Discord server and website, and has initiated the process of temporarily shutting down its services as a result. As first reported by StackDiary, Discord.io has confirmed the authenticity of the breach. According to a timeline listed on the website for Discord.io, it was only after seeing the post on the hacking forum that they encountered the information about the data breach. 

Immediately after the leaked data was confirmed to be authentic, they shut down their services and cancelled all memberships that had been paid for. A spokesperson for Discord.io says that the person responsible for the breach has not contacted them and has not provided them with any information regarding how the breach occurred. A spokesperson for Akhirah, the seller of the Discord.io database, told BleepingComputer that he had not been in touch with the Discord.io operators before speaking with them.

It is clear from the revealed information about the users that the attacker was able to gather all types of sensitive information from Discord.io. There was data leaked by the company that included sensitive user information, including usernames, Discord IDs, email addresses, billing addresses, salted and hashed passwords, and much other sensitive information. Because Discord.io does not store any information about its users, it cannot confirm whether or not any credit card information was compromised in the attack. 

As part of the data breach, the platform acknowledges that certain information about users, including internal user IDs, avatar details, the status of users, coin balances, API keys, registration dates, last payment dates, and membership expiration dates may have been exposed.  

Currently, Discord.io has announced that it is suspending operations indefinitely due to this attack. There will be a temporary period when Discord.io will not be available during the next few months after the website is launched since it will cease to operate while it is being built. There will be a complete rewrite of the website code, in which it will be implementing a completely new security system, and the code will be completely rewritten, according to the platform. 


Pentagon Concludes Review Following Discord Leak, Tightens Controls on Classified Info

 

The Pentagon has completed a comprehensive assessment lasting 45 days to evaluate the military's protocols regarding classified information, following a case where a National Guardsman leaked unnecessary classified information on Discord despite having a top-secret clearance.

The individual involved, Jack Teixeira, held his clearance due to his position as an information technology technician at Otis Air National Guard Base in Massachusetts. However, the fact that he leaked information he did not require prompted Defense Secretary Lloyd Austin to initiate the review. While the review was ordered on April 14, the U.S. Defense Department released its findings and recommendations on Wednesday.

According to investigators from the Defense Department, the vast majority of personnel granted access to classified national security information demonstrate compliance with security policies and understand the criticality of maintaining information security for national security purposes.

"At the same time, the review identified areas where the department should improve its security posture and accountability measures," the Defense Department said in a fact sheet.

The Pentagon said it will "reinforce existing security policies and practices" down to the bottom ranks and update them to reduce "ambiguity" while examining opportunities to tailor training and education to "better address current and evolving security needs," among implementing other recommendations.

"The department is mindful of the need to balance information security with requirement to get the right information to the right people at the right time to enhance our national security," the fact sheet reads.

"As DoD implements the recommendations and associated actions from this review, careful consideration will be given to guard against any 'overcorrection.'"

The Defense Department announced that Secretary Austin has concluded his examination of the findings and subsequently issued instructions to senior military leaders outlining necessary actions to enhance accountability measures in the short and medium term.

In a memorandum, Austin instructed Defense Department leaders to ensure that all personnel are accurately included and accounted for within designated security information technology systems by August 31.

Military leaders who are not part of the intelligence community have been instructed to validate the necessity of their personnel accessing sensitive compartmented information. Furthermore, they must ensure that all individuals with access to such information have a duly completed non-disclosure agreement on file by the end of September.

Austin has directed the Pentagon to establish a centralized tracking system by year-end for sensitive compartmented information facilities and special access program facilities. Additionally, employees working in these facilities must certify their adherence to policies that prohibit the use of personal electronic devices.

Discord Upgraded Their Privacy Policy

 

Discord has updated its privacy policy, effective on March 27, 2023. The company has added the previously deleted clauses back in as well as built-in tools that make it easier for users to interact with voice and video content, such as the ability to record and send brief audio or video clips.

Additionally, it promoted the Midjourney AI art-generating server and alleged that more than 3 million servers on the entire Discord network feature some sort of AI experience. This was done to position AI as something that is already well-liked on the site.

Many critics have brought up the recent removal of two phrases from Discord's privacy policy: "We generally do not store the contents of video or voice calls or channels" and "We also don't store streaming content when you share your screen." Many responses express concern about AI tools being developed off of works of art and data that have been collected without people's permission.

It looks like Discord is paying attention to customer concerns because it amended its post about the new AI tools to make it clear that even while its tools are connected to OpenAI, OpenAI may not utilize Discord user data to train its general models.

The three tools Discord is releasing are an AI AutoMod, an AI-generated Conversation Summaries, and a machine-learning version of its mascot Clyde.

Clyde has been reduced, and according to Discord, he can answer questions and have lengthy conversations with you and your friends. Clyde is connected to OpenAI. Moreover, it may suggest playlists and begin server threads. According to Discord, Clyde may access and utilize emoticons and GIFs like any Discord user while communicating with other users.

To help human server moderators, Discord introduced the non-OpenAI version of AutoMod last year. According to Discord, since its launch, "AutoMod has automatically banned more than 45 million unwanted messages from servers before they even had a chance to be posted," according to server policies.

The OpenAI version of AutoMod will similarly search for messages that break the rules, but it will do so while bearing in mind the context of a conversation. The server's moderator will receive a message from AutoMod if it believes a user has submitted something that violates the rules.

Anjney asserted that the company respects the intellectual property of others and demands that everyone utilizing Discord do the same. The company takes these worries seriously and has a strict copyright and intellectual property policy.



The PoweRAT Malware Attacks PyPI Users

 

The software supply chain security company Phylum has discovered a malicious assault using the PoweRAT backdoor and an information thief that targets users of the Python Package Index (PyPI). The campaign was initially discovered on December 22, 2022, when PyroLogin, a malicious Python programme made to retrieve code from a remote server and silently execute it, was discovered.

The EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles packages all had code that was comparable to PyroLogin, and they were all released to PyPI between December 28 and December 31.

The infection chain starts with a setup.py file, which means that the malware is automatically deployed if the malicious packages are installed using Pip. The infection chain involves the execution of numerous scripts and the exploitation of legitimate operating system features.

The execution process was examined by Phylum, who found attempts to avoid static analysis and the usage of obfuscation. While the malicious code is being performed in the background, a message indicating that "dependencies" are being installed is displayed in order to avoid raising the suspicion of the victims.

The infection chain also involves the setup of numerous potentially harmful programs, the placement of malicious code into the Windows starting folder for persistence, and libraries that let the attackers manipulate, monitor, and record mouse and keyboard input.

Once the virus is installed on the victim's computer, it gives the attackers access to sensitive data such as browser cookies and passwords, digital currency wallets, Discord tokens, and Telegram data. A ZIP archive containing the collected data is exfiltrated.

Additionally, the malware tries to download and install Cloudflare. This Cloudflare command-line tunnel client enables attackers to access a Flask app on the victim's machine without changing the firewall, on the victim's computer.

Using the Flask app as a command-and-control (C&C) client, the attackers can run shell commands, download and execute remote files, and even execute arbitrary Python code in addition to extracting information like usernames, IP addresses, and machine specifics.

The malware, which combines the capabilities of an information thief and a remote access trojan (RAT), also has a feature that sends an ongoing stream of screenshots of the victim's screen to the attackers, enabling them to cause mouse clicks and button presses. Phylum named the malware PoweRAT instead of Xrat "because of its early reliance on PowerShell in the attack chain."

Phylum concludes, "This thing is like a RAT on steroids. It has all the basic RAT capabilities built into a nice web GUI with a rudimentary remote desktop capability and a stealer to boot! Even if the attacker fails to establish persistence or fails to get the remote desktop utility working, the stealer portion will still ship off whatever it found.” 

Threats of Discord Virus: Ways to Eliminate it

Discord has gained popularity as a tool for creating communities of interest since the launch of its chat and VoIP services, notably among gamers. Discord can be exploited, though, similar to any other platform that contains user-generated material. 

It was discovered in 2021 that hackers carried out a number of malware attacks targeting Discord. Cybercriminals use various techniques to spread more than 20 different varieties that have been found. Due to Discord's broad customizability possibilities, common users are vulnerable to attacks inside and outside the chat server. Recent security analysis on Discord has uncovered a number of cyberattack scenarios connected to its chat service, which can be quite risky for users.

How does the Discord virus infiltrate the system?

The common phrase used to describe malware programs exchanged using the official Discord app is 'Discord Virus.' To get Discord users to run malicious software, cybercriminals use a variety of tactics, the pirated version of Discord Nitro is also frequently offered by attackers. 

The Discord software has a premium edition called Discord Nitro that is packed with more sophisticated capabilities. It is important to understand that the Discord Nitro app cannot be cracked because the premium features are delivered over the servers and not embedded into the app.

The system does display a few typical signs that point to the existence of Trojan infection:
  • The CPU is abruptly utilized more than normal
  • The system regularly glitches
  • Malicious pop-ups are constantly flooding browser
  • The user is not asked to initiate the opening of a window
  • Redirection to suspicious or unreliable websites
How to Update and Fix Discord

1. Operate discord as an administrator

Running the application with administrative rights may be a simple way to fix the Discord Update Failure problem. You can download and run the most recent Discord update due to this enabling the updater to change your device.

2. Give the update.Exe file a new name

A bug with the application's update.exe file was discovered by Discord's troubleshooters. For the best chance of successfully updating Discord to the most recent version, try renaming this file.

Copy "C: Users Username AppData" without the quotations and put it into the Windows + R keyboard shortcut. The username should be changed to the username for your local account.

3. Avoid using windows defender

The Discord Update occasionally crashes due to conflicts with Windows 10's default antivirus protections. Disabling Windows Defender will allow you to try updating Discord.

4. Disable your antivirus temporarily

Antivirus programs have a reputation for causing problems on computers by obstructing your internet service or preventing services and apps from operating as intended.

Discord can give rise to predatory behaviors like cyberbullying. Additionally, extreme organizations utilize Discord to recruit new members and keep in touch with them. You should take precautions against malicious users on Discord and never give out your personal information to anyone.

While utilizing the service, Discord provides a list of precautions to take in order to avoid spam and hacking. One recommendation is to create secure passwords that are less likely to be hacked. Additionally, individuals can defend themselves by scanning for suspected phishing attempts. 


How LofyGang Is Using Discord In A Massive Credential Stealing Attack

 

Checkmarx researchers have mapped out a complex web of criminal activity that all points back to a threat actor known as LofyGang. This group of cybercriminals provides free hacking tools, Discord-related npm packages, and other services to other nefarious actors and Discord users. These tools, packages, and services, however, come with a hidden cost: the theft of users' accounts and credit card credentials. 

The researchers discovered at least 200 malicious npm packages uploaded to the official npm website by various LofyGang sock puppet accounts. These npm packages look like genuine packages that enable users to interact with the Discord API. LofyGang dupes users into installing malicious packages instead of legitimate ones by uploading multiple versions of its packages with different misspellings of popular packages.

In order to give their malicious packages credibility on the npm website, the group also ties their npm packages to active and reputable GitHub repositories. An unsuspecting user who enters a typo while searching for a legitimate package may come across a listing for one of these malicious packages, fail to notice the misspelling, and install the package.

Unfortunately for those who install malicious npm packages, the packages are designed to steal users' account and credit card information. However, rather than containing malicious code directly, these packages rely on secondary packages that contain malicious code. Because malware is hidden in dependencies, the original malicious packages are less likely to be reported as malicious and removed from the npm website.

If one of the malicious dependencies is reported and removed, the threat actor can simply upload a new malicious dependency and push an update to the user's original npm package, instructing it to rely on this new malicious dependency.

LofyGang distributes malicious hacking tools on GitHub in addition to malicious npm packages. The hacking tools, like the npm packages, are usually Discord-related. These programmes also contain malicious dependencies that steal account and credit card information. LofyGang promotes these tools on a variety of platforms, including YouTube, where the group posts tool tutorials.

The LofyGang's Discord server, which has been operational since October 2021, is another avenue for promoting the group's malicious hacking tools. Users can join this Discord server to get assistance with the tools. The server also includes a Discord bot that can grant users a free Discord Nitro subscription using stolen credit card information. 

However, in order to use the bot, users must provide their Discord account credentials, which LofyGang is likely to add to the growing list of credentials stolen by its malicious packages and tools. At the end of the day, Checkmarx's report shows that anyone using LofyGang's packages, tools, and services, whether they realise it or not, is handing over their account and credit card credentials.

Hackers Make Fake Cthulhu Website to Distribute Malware


Fake Cthulhu website spreads malware 

Threat actors have made a fake 'Cthulhu World ' play-to-earn community, this includes websites, social accounts, a medium developer site, and Discord groups to spread the Raccoon stealer, AsyncRAT, and Redline password stealing malware on innocent targets.

As play-to-earn communities have risen in popularity, threat actors and scammers constantly attack these new platforms for suspicious activities. 

The same applies to a new malware distribution campaign found by cybersecurity expert "iamdeadlyz", where hackers made an entire project to advertise a fake play-to-earn game known as Cthulhu World.

Hackers promote the fake project 

To publicize the 'project,' hackers send direct messages to users on Twitter asking if they wish to perform a test of their new game. In return of testing and promoting the game, the hackers promise of rewarding in Ethereum. 

When a user visits cthulhu-world.com site (currently down), users are welcomed with a well designed website, it includes information about the project and an interactive map of the game's environment.

But, it is a fake site which is a copy of the original Alchemic World Project, which has warned its users to stay aware of the fake project. Someone made a fake account for our project, and copied the website, and all social media.

Experts say to "stay away"

"STAY AWAY this account and don't follow them. All their assets were stolen from our project," Tweeted Alchemic World. 

The Cthulhu World website is also different in some ways, for instance, when a user clicks the upper right-hand corner arrow on the website, the site brings them to a webpage requesting a "code" to download the "alpha" test of the project.

The hackers then distribute these codes to potential victims as a part of their DM conversations on Twitter. The access code list can be found on the site's source code. 

3 downloaded files contain the malware 

On the basis of the code entered, one of the three files is downloaded from the DropBox. All of these three files will install different malware, which allows the threat actor to pick and choose how they want to attack a particular victim. 

The three malware found by AnyRun installs are Raccoon Stealer, AsyncRAT, and RedLine Stealer.

"As RedLine Stealer and Raccoon Stealer are known to steal cryptocurrency wallets, it is not surprising to find that some victims have already had their wallets cleaned out by this scam," says Bleeping Computer.

 
The Cthulhu World Website is currently shut down, but their Discord is up and running. It isn't clear if users on this Discord are aware that a website is sharing malware, however, few users have full faith that it is a genuine project.

How to protect yourself?

If you visited Cthulhu-world.com and installed any of their softwares, the user should immediately remove any items found and run an antivirus scan on the system right away.

You should also note that these malware infections can steal your cookies, crypto wallets, and saved passwords, you should reset all passwords and make a new wallet to import all the cryptocurrency.

The best way to protect yourself is to reinstall your system from scratch, as these malware infections give full access to an infected computer, and other suspicious malware can be installed.


Malicious PyPI Packages Surface, Attack Discord and Roblox


About PyPI Packages

10 malicious software packages were found in the Python Package Index (PyPI) repository, a week later, many others have come to surface, found by different firms. 

It has become a kind of whack-a-mole drill, taking out malicious codes only to find more taking its place. In the disclosure of last week, Check Point researchers discovered Trojanized packages imitating authentic components, it contained droppers for data stealing malware. 

This compelled Kaspersky researchers to further investigate the open source repository, which resulted in finding two more rogue offerings, known as "pyrequests" and "ultrarequests," that turned out to be one of the most famous popular packages in PyPI (simply known as "requests"). 

How did the attack happen?

Checkpoint says "Pypi has over 612,240 active users, working on 391,325 projects, with 3,664,724 releases.What many users are not aware is the fact that this one liner simple command can put them at an elevated risk. The pip install command triggers a package installation which can include a setup.py script."

The threat actor used a description of authentic "requests" package to fool victims into downloading harmful ones. The description includes false faked stats, saying the package was installed more than 230 million times in a month, having more than 48,000 stars on GitHub. 

The project description also hints towards web pages of legitimate requests package, along with the author's email. All mentions of orginal requests package have been interchanged with the names of malicious ones. 

Attackers target Discord and Roblox

When installed, it results in a W4SP Stealer infection, via which actors can extract Discord tokens, passwords, and saved cookies from browsers in seperate threads. 

Whereas, experts at Snyk earlier this week released findings about around 12 malicious PyPI packages that steal Discord and Roblox users' login credentials and payment details. Kyle Suero, Snyk's leading researcher, the malware also tries to steal Google Chrome data or pilfer passwords and bookmarks from Windows systems, pivoting through all the accounts. 

"Another interesting thing about this malware is that it is actually using Discord resources to distribute executables. Although this practice is not new, seeing cdn.discord.com tipped off our security researchers. The binaries are pulled down to the host via the Discord CDN," says Snyk.

The malicious packages have been wiped out from PyPI, but they don't have any idea about the number of times they were downloaded prior to that. Code repository attacks keep rising, as per ReversingLabs, attacks on npm and PyPI have collectively spiked from 259 in 2018 to 1,010 in 2021 — a 290% increase. 

"If we keep ignoring the core problem, that is trusting the code, we can't handle software supply chain security," says Tomislav Peričin, co-founder and chief software architect at ReversingLabs in the report. 






Data Spyware Delivered via Telegram & Discord Bots

Hackers have utilized these messaging apps in a variety of ways to transmit their own malware, according to Intel 471's research. They have discovered ways to host, distribute, and execute various activities on these platforms, which they mostly exploit in cooperation with data theft in order to be able to steal credentials or other information from unwary users.

According to a recent study from Intel 471, threat actors are using the multifaceted nature of messaging apps — in particular, their content-creation and program-sharing components — as a basis for information stealing.

Tactics & Techniques

Researchers at Intel 471 have found a number of data thefts that are openly accessible and depend on Telegram or Discord to operate.

Additionally, these hackers conduct similar attacks against the Roblox and Minecraft gaming sites. Discord's content delivery network (CDN) is regularly used to store malware, as per researchers, because the platform doesn't place limitations on file storage.

One Telegram-focused botnet, dubbed X-Files, includes features that may be accessible through Telegram's bot commands. Once the malware has been installed on a victim's computer, criminal actors can take credit card information, login credentials, session cookies, and passwords, and send them to a Telegram channel of their choice. 

Several browsers, including Google Chrome, Chromium, Opera, Slimjet, and Vivaldi, may import data into X-Files. Although Prynt Stealer, another stealer, operates similarly, it lacks the built-in Telegram commands.

The following malware families have been seen hosting harmful payloads on Discord CDN: PrivateLoader,  Discoloader, Colibri, Warszone RAT, Modi loader, Raccoon thief, Smokeloader Amadey,  Tesla agent thief, GuLoader, Autohotkey, and njRAT.

Cautions

The entry threat for malicious actors is reduced by automation in well-known chat platforms. Data theft might be the initial step in initiating a targeted attack against an enterprise, even though they can not alone cause as much harm as malware like a data wiper or ransomware.

Although messaging services like Discord and Telegram are not often utilized for corporate activities, their popularity and the surge in remote work have increased the attack surface available to cybercriminals.




Discord Users Targeted by Malicious Npm Packages

 

Kaspersky researchers have unearthed yet another supply chain attack campaign employing multiple malicious npm packages, this time targeting Discord users to steal their payment card information. 

The malware employed in these attacks is a modified version of an open-source and Python-based Volt Stealer token logger and JavaScript malware dubbed Lofy Stealer. 

“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines and the victim’s IP address and upload them via HTTP,” reads the analysis published by Igor Kuznetsov and Leonid Bezvershenko. 

The malware monitors the victims' actions, such as Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles, or the addition of new payment methods to steal Discord accounts and payment information. 

Subsequently, the harvested data is uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co). 

“The JavaScript malware we dubbed ‘Lofy Stealer’ was created to infect Discord client files in order to monitor the victim’s actions, researchers added. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded,” the analysis further read.

Kaspersky states that they are constantly monitoring the updates to repositories to rapidly scan and remove all new malicious packages. 

According to researchers, this is a repetitive process among malicious npm packages, and it's just one of the seemingly endless streams of malware specifically designed to target Discord users in recent years with info stealers. 

For example, in 2019, malware dubbed Spidey Bot was employed to alter the Windows Discord user to backdoor it and deploy an information-stealing trojan. Last year, malicious npm and PyPI libraries were also employed to target Discord users, steal their user tokens and browser information, and deploy MBRLocker data wiping malware called Monster Ransomware. 

Earlier this year, JFrog researchers uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults.

Alert! Teen Hackers are Using Discord to Disseminate Malware

 

Avast security researchers found a Discord channel where a group of teenagers is developing, updating, promoting, and selling malware and ransomware outbreaks, allegedly to make pocket money. 

The researchers assume they are all minors since they referenced their parents and instructors frequently and casually used age-specific slurs. Researchers discovered their actions via their Discord chat. The hackers sell malware variants of Snatch, Lunar, and Rift and provide a variety of services ranging from data theft to ransomware and crypto mining. 

However, researchers discovered that teen hackers mostly give easy-to-use malware builders and toolkits, allowing users to utilise them without real programming by using the "Do it yourself" (DIY) technique. 

How does the Group function? 

To become a group member or utilise the malware-as-a-service capability, interested parties must pay a charge. The registration price ranges from €5 to €25. Avast researchers observed in their analysis that about 100 accounts have already enrolled to get access to a hacking group. The malware dissemination method is a little unusual. 

The hackers posted a YouTube video displaying a bogus crack for a popular computer game or commercial software, along with a download link in the description. To establish credibility, additional users of the Discord group leave comments on the video, thanking the originator and confirming that the connection works. This method is even more twisted than bots for commenting since it becomes hard to recognise. 

How Should One Handle Teen Hackers? 

This scenario is undoubtedly troubling. As a result, hacking ability among teenagers and minors must be channelled towards beneficial, ethical endeavours for the general benefit of the cybersecurity sector. 

Parents must communicate to their children to understand the motivational elements that drive them to distribute malware. There are several tools accessible on Discord and other platforms to assist anyone interested in pursuing a career in the cybersecurity field. 

The first step, though, is for parents to interact with their children without passing judgement. It is worth emphasising that the organisation distributes unlawful malware without comprehending the gravity of the situation and dismissing it as a prank.

NFTs Worth 200 Ether Were Stolen From the Bored Ape Yacht Club 

 

Yuga Lab's Bored Ape Yacht Club or Otherside Metaverse Discord services were hacked to publish a phishing scheme, hackers allegedly took approximately $257,000 in Ethereum and 32 NFTs. A Yuga Labs community manager's Discord account was allegedly hacked on June 4 and used to spread a phishing scam on the firm's Discord servers. 

According to Coindesk, the attacker hacked Boris Vagner's Discord account, put many phishing links on the account, its related metaverse account 'Otherside,' and the NFT fantasy football team Spoiled Banana Society's (SPS) Discord account. As of 8.50 a.m., the worldwide crypto market capitalization had increased by 3.43 percent to $1.27 trillion. According to Coinmarketcap data, worldwide crypto volume increased by 18.04 percent to $51.24 billion. 

The phishing communications, which claimed to be from Vagner, advertised an exclusive prize and stated that only BAYC, Mutant Ape Yacht Club, and Otherside NFTS holders were eligible. The owners were then directed to a phishing site, where they were requested to input the login information. The attackers then took all Ethereum and NFTS contained in the account's associated wallet after receiving the login credentials. Yuga Labs finally regained login to the Discord server, but not before significant harm had been done. 

The seized NFTS were worth roughly 200 ETH ($361,000) according to BAYC's official Twitter account. The perpetrators made off with 145 Ethereum and 32 NFTS, valued at a total of $250,000.

Approximately 32 NFTs were taken, according to blockchain cybersecurity firm PeckShield, including the Bored Ape Yacht Club, Otherdeed, Bored App Kennel Club, and Mutant Ape Yacht Club projects. 

As per the reports, it is unknown how the forum manager's account was hacked or whether two-factor authentication was turned on, which generally protects against such assaults.

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 

 

Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

OpenSea Warns of Discord Channel Hack

 

The nonfungible token (NFT) marketplace OpenSea had a server breach on its primary Discord channel, with hackers posting phoney "Youtube partnership" announcements. A screenshot shared on Friday reveals a phishing site linked to fraudulent collaboration news. 

The marketplace's Discord server was hacked Friday morning, according to OpenSea Support's official Twitter account, which urged users not to click links in the channel. OpenSea has "partnered with YouTube to bring their community into the NFT Space," according to the hacker's original post on the announcements channel. 

It also stated that they will collaborate with OpenSea to create a mint pass that would allow holders to mint their project for free. The attacker appeared to have been able to stay on the server for a long time before OpenSea staff was able to recover control. The hacker uploaded follow-ups to the initial totally bogus statement, reiterating the phoney link and saying that 70% of the supply had already been coined, in an attempt to generate "fear of missing out" in the victims. 

The scammer also tried to persuade OpenSea users by claiming that anyone who claimed the NFTs would receive "insane utilities" from YouTube. They state that this offer is one-of-a-kind and that there would be no other rounds to engage in, which is typical of scammers. As of this writing, on-chain data indicates that 13 wallets have been infiltrated, with the most valued stolen NFT being a Founders' Pass worth about 3.33 ETH ($8,982.58). 

According to initial reports, the hacker used webhooks to get access to server controls. A webhook is a server plugin that lets other software get real-time data. Hackers are increasingly using webhooks as an attack vector since they allow them to send messages from official server accounts. The OpenSea Discord server isn't the only one that uses webhooks. 

In early April, a similar flaw enabled the hacker to utilise official server identities to post phishing links on several popular NFT collections' channels, including Bored Ape Yacht Club, Doodles, and KaijuKings.

Bored Ape & Other Major NFT Project Discords Hacked by Fraudsters

 

The Discords of several prominent NFT projects were hacked last week as part of a phishing scheme to mislead members into handing up their digital jpegs. 

In tweets, the Bored Ape Yacht Club, Nyoki, and Shamanz all confirmed Discord hacks. The Discords of NFT projects Doodles and Kaiju Kingz were also attacked, according to screenshots released by independent blockchain investigator Zachxbt. Doodles and Kaiju Kingz both confirmed that they had been hacked on their Discords. 

“Oh no, our dogs are mutating,” read one of the phishing posts posted in the BAYC Discord by a compromised bot viewed by Motherboard.

“MAKC can be staked for our $APE token. Holders of MAYC + BAYC will be able to claim exclusive rewards just by simply minting and holding our mutant dogs.” 

The hack's purpose was to get users to click a link to "mint" a phoney NFT by submitting ETH and, in some cases, an NFT to wrap into a token. 

“STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised,” the official BAYC Twitter account said early Friday morning. 

“We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now.” 

"Along with blue-chip projects like BAYC, and Doodles, our server was also compromised today due to a recent large-scale hack," the Nyoki’s tweet said. 

On blockchain explorer Etherscan, two wallet addresses have been linked to the hacks and are now dubbed Fake Phishing5519 and Fake Phishing5520. The 5519 wallet, which sent 19.85 ETH to the 5520 wallets, stole at least one Mutant Ape Yacht Club NFT (a BAYC offshoot by developer Yuga Labs) and soon sold it. Early Friday morning, this second wallet delivered 61 ETH ($211,000) to the mixing service Tornado Cash. The wallet's most recent transaction is a transfer of.6 ETH to an inactive wallet, which subsequently sent the same amount to an extremely active wallet with 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and a variety of other tokens. 

This is not the first or last attack on crypto assets on Discord, which, while being a gaming-focused network, serves as a crucial centre for the great majority of projects. Crypto projects already have to deal with hacks that take advantage of smart contract flaws, but the fact that so many of them are also on Discord subjects them to frauds that exploit the power of the platform itself. 

Several high-profile accounts have already fallen prey to schemes that hacked bots responsible for channel-wide announcements and pushed websites in order to steal ETH, NFTs, or wallets.

11 Malicious Python Packages Uncovered by Researchers

 

Researchers have found 11 malicious Python packages which have been installed more than 41,000 times from the Python Package Index (PyPI) repository that might be used to obtain Discord access tokens, passwords, and even stage dependency misunderstanding attacks. 

These Python packages have now been withdrawn from the repository as a result of JFrog's responsible disclosure —
  • important package / important-package 
  • pptest 
  • ipboards 
  • owlmoon 
  • DiscordSafety 
  • \trrfab 
  • 10Cent10 / 10Cent11 
  • yandex-yt 
  • yiffparty 

Two of the programs ("importantpackage," "10Cent10," and their variants) were discovered to gain a reverse shell upon that compromised system, granting the attacker total control over an affected system. Using a technique known as dependency confusion or namespace confusion, two additional packages, "ipboards" as well as "trrfab" masqueraded as valid dependencies intended to be immediately imported. 

Apart from typosquatting attacks, in which a threat actor purposefully discloses packages with misspelled names of popular variants, dependency confusion works by posting poisoned elements with the same names as valid internal private packages, although with a higher version as well as posted online to public repositories, basically forcing the target's package manager to download and install the nefarious module. 

The dependency "importantpackage" is particularly notable for its new network-based detection technique, which involves exploiting Fastly's the content delivery network (CDN) to disguise connections with the attacker-controlled server as interactions with pypi[.]org. 

The malicious code "causes an HTTPS request to be sent to pypi.python[.]org (which is indistinguishable from a legitimate request to PyPI), which later gets rerouted by the CDN as an HTTP request to the [command-and-control] server," JFrog researchers Andrey Polkovnychenko and Shachar Menashe noted. 

Eventually, both "ipboards" and a fifth package known as "pptest" were revealed to use DNS tunneling as a data exfiltration technique, depending on DNS requests as a means of communicating between both the victim PC and the remote server. According to JFrog, this is the first time the approach has been discovered in malware posted to PyPI. 

Targeting prominent code registries such as Node Package Manager (NPM) JavaScript registry, PyPI, and RubyGems has become routine, opening up a new arena for a variety of assaults. 

"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and […] attackers are getting more sophisticated in their approach," said Menashe, JFrog's senior director of research. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling signal a disturbing trend that attackers are becoming stealthier in their attacks on open-source software."