Hackers have updated the AnarchyGrabber trojan to a new version which is capable of stealing passwords and user tokens, disabling 2FA and spreading malware
This is the second update the trojan has received this year as it was also updated back in April to modify Discord client files in order to evade detection by antivirus software and steal user accounts every time someone logs into the popular chat service.
Hackers have now released a modified version of the AnarchyGrabber trojan with updated and more powerful features.
AnarchyGrabber3 is a new variant of the popular malware which can steal a victim’s plain text passwords and even command an infected client to spread malware to a victim’s Discord friends. Since the attackers are now stealing plain text passwords, they can also use them in credential stuffing attacks in order to compromise a victim’s other online accounts as well.
When a victim logs in, the modified Discord client will try to disable 2FA on their account. The client then uses a Discord webhook to send the user’s email address, login name, user token, plain text password and IP address to a Discord channel controlled by the attacker. The modified client will also listen for commands sent by the attacker once the victim is logged in. One of these commands can even be used to send a message to all of the victim’s friends that contains malware the attackers want to spread.
This trojan is particularly dangerous because it makes it hard for average users to know they’re infected as the AnarchyGrabber3 executable does not stay on a user’s system or run again after it has modified the Discord client files.
Thankfully, it is quite easy to see if your system has been infected with AnarchyGrabber3.
Simply open Discord’s index.js file in %AppData%\Discord[version]\modules\discord_desktop_core with Notepad and look for a single line of code that looks like this: “module.exports = require(‘./core.asar’)”. If your client contains no other code, then it likely hasn’t been infected with the trojan.