Discord Anarchy3 Malware

There is a new updated malware that can steal your discord password and even disable 2FA. Read this post for more info

There is a new version of Anarchy Grabber which steals users passwords, tokens, disable 2FA And can spread to other users (If they install it) on the discord platform, This post will inform you how you can find out if you are infected.

AnarchyGrabber is a popular trojan that is commonly spread for free on hacker forums and within YouTube videos that explain how to steal Discord user tokens.

Attackers then distribute the trojan on Discord, where they pretend it’s a game cheat, hacking tool, or copyrighted software.

Once the program is installed it will maliciously change javascriot files to turn it into a malware that steals the users token. Once the attacker has the users token they are able to log into their account.

The program AnarchyGrabber was updated a few weeks ago to a new version AnarchyGrabber3 this program contains new features can pose a great threat to users.

An attacker can also steal a victim’s plain text password and send the malicious program to a victim’s friends.

How does it work?

When installed, AnarchyGrabber3 will modify the Discord client’s %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file to load other JavaScript files added by the malware.

The malicious scripts will then log the user out of the Discord client and prompt them to log in.

Once a victim logs in, the edited Discord client will try to disable 2FA on the account. The client then uses a Discord webhook to send the user’s email address, login name, user token, plain text password, and IP address to a Discord channel which the attacker has access to

When connected to the Discord, the modified client will also listen for commands sent by the attacker. One of these commands tells hacked Discord clients to send a message to all of the logged in account’s friends that contain malware they wish to spread.

The worst thing about this malware is that most people won’t even know they are infected until it is too late.

After the AnarchyGrabber3 file is run and modifies the Discord client files, It will never run again.

This means that, there is no malicious process for your antivirus software to detect, the infected user will continue to be part of the botnet whenever they connect to Discord.

How do I check to see if I am infected?

Luckily there is an easy way to check to see if your discord client is infected.

Just open the main javascript file which is located at %AppData%\Discord\[version]\modules\discord_desktop_core\index.js with Notepad and make sure there are no modifications to the files.

A normal, unmodified file will have the following in it

module.exports = require('./core.asar');

if there is anything else in this file then your discord is infected. The only way to remove the malware is to uninstall your discord and reinstall it.

© 2020. All rights reserved.