fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious NPM Project Steals Discord Accounts, Browser Info

Malicious NPM Project Steals Discord Accounts, Browser Info

A heavily obfuscated and malicious NPM project is used to steal Discord user tokens and browser information from unsuspecting users.

NPM is a JavaScript package manager that allows developers to download and integrate different JS modules from a public registry containing over one million packages.

NPM is an open system where anyone can submit modules for other developers to use. 

Due to this open system, it is becoming common for malicious actors to upload malicious modules that steal data, download and execute programs, or perform malicious behavior when used in other projects.

Malicious NPM steal browser data, Discord tokens

On August 25th, 2020, NPM removed a malicious package called “fallguys” designed to steal Discord tokens and browser information from Google Chrome, Brave Browser, Opera, and Yandex Browser.

Today, open-source security firm Sonatype discovered another malicious module that steals browser information and Discord tokens called ‘discord.dll’ that is believed to be a successor to the fallguys module.

Sonatype researcher Ax Sharma told BleepingComputer that it is common for malicious NPM projects to utilize names similar to legitimate projects to trick developers into using them.

Also Read: How To Prevent WhatsApp Hack: 7 Best Practices

“Typosquatting and brandjacking packages capitalize on an existing brand’s value and take advantage of an innocent mistake made by a user,” Sharma explained.

Though it is named discord.dll, its package.json file indicates that the module is based on another project called ‘JSTokenGrabber’ that was previously on GitHub.

Discord.dll package.json file

When used in a project, the module will attempt to steal Discord user tokens and browser information from the LevelDB databases in the following folders:

  • %LocalAppData%\Google\Chrome\User Data\Default
  • %LocalAppData%\BraveSoftware\Brave-Browser\User Data\Default
  • %LocalAppData%\Yandex\YandexBrowser\User Data\Default
  • %AppData%\Opera Software\Opera Stable
  • %AppData%\discordptb
  • %AppData%\discordcanary
  • %AppData%\discord

From the filenames used in this package, you can see the different components used to perform the theft of information.

Discord.dll file tree

The information that is collected includes:

  • User tokens from Discord, Discord Public Test Build (PTB), and Discord Canary
  • Victim’s public IP address via https://api.ipify.org/?format=json
  • PC username and Discord username
  • Browser information from the LevelDB databases

When done collecting a user’s information, it will be sent via a Discord webhook to a Discord channel under the attacker’s control.

In addition to the discord.dll package, Sonatype also discovered three other suspicious packages from the same author named ‘discord.app,’  ‘wsbd.js,’ and ‘ac-addon’.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

When launched, these packages will automatically start executables named ‘bd.exe’, ‘dropper.exe,’ and ‘lib.exe.’

For example, Sonatype states that discord.app will launch the dropper.exe program when it started.

 “require('child_process').exec('dropper.exe');”

Unfortunately, these programs have not been found, so it unknown what behavior they perform.

The discord.dll project has been available on NPM for five months and has been downloaded one hundred times.

Full disclosure: Ax Sharma contributes articles to BleepingComputer.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us