This STEALER Infects Discord
Vložit
- čas přidán 1. 07. 2024
- I take a look at a technique known as "Discord Injection" where a stealer can be built into discord.
Official Discord Server - / discord
Follow me on X - / atericparker
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
(C) Eric Parker 2024 - Věda a technologie
One funny thing you can do with discord webhooks if they're present, is to _just_ delete them lmao
Another funny thing you can do with bots is you can kick them from your server! Silly, huh?
@@ENNEN420 yeah that sure is fun and silly, but before you do that, make sure to use that same bot to infiltrate the server, and hopefully report the owner. although I wouldn't trust Discord's T&S team to actually do anything. It's also possible using the webhook URL to see the user who created it lmao
That won't Work If the attacker Setup a custom Domain with PHP Backend to do the requests behind the scencrs and Not forwarding it If It's a webhook delete request
@@electricz3045 yep, that's true! but if we take a moment to think about the target "audience" for these kinds of things, I feel like you'll be coming across a lot of people who don't bother to even do that. for example, in the Hypixel (a Minecraft server with different games) skyblock (one of their games) community, there's a lot of scams involving utility mods that "supposedly" help the player. a while back I remember browsing across a dozen CZcams videos about said mods (sorted by upload date), and after reversing the code, it was mostly the same 2 jars (so two different grabbers), just with different webhooks
@@electricz3045most cases skids dont modify code, incapable of it
It terminating itself when detecting tokenprotector is really weird, you would think it would just laugh at it but actually "helping" it to work by not activating doesnt make any sense
if i did read the code correctly, its the other way around. this malware kills any blacklisted process, the tokenprotector too.
"Growtopia? I don't know what that is.. *sounds* like it's marijuana related..."
open-source malware is kind of based
true
im still waiting for GNU stealer
@@jimmlmaogst/gstr?
@@jimmlmao BSD Borrower
@@tryrexman8627 KRetrieve
Growtopia is a prolific MMO known for hacking and real world trading. I was involved with the real world trading scene for a while until the ingame inflation made it unbearable. Surprised it tried to password grab it. Bit of a throwback because I haven't heard of it for years.
Also Gambling on the game ofcorse
@@lg-nathan84 thats tied to the real world trading... basically irl gambling but accessible to the youth! lovely..
Lmao yea I was surprised to see it mentioned here. I loved playing it when I was younger but ofc it got ruined
My childhood game... 22yo now. Sad to see it dying
@@cluelessnova Last time I touched it was in the summer of 2020. It was always not a great game, from mediocre content creation somehow garnering hundreds of thousands of subscribers because someone was rich ingame to culture (racism, sexism, homophobia, etc running rampant) to botting wise it was problematic.
I am glad I distanced myself from it the moment there was extremely rapid inflation (going from 10% inflation in 3 months to 100% inflation in 2 months). In total I got like 4k profit with 20k turnover. Not a bad journey..
was not expecting to see growtopia mentioned. it was a fairly popular indie mmo that got bought out by ubisoft and ran into the ground. even if this stealer is from a while back its odd t o see something spesifically check for a game so niche. great video
definitely a throwback from when i played it back in like 2020
at 8:04 at the top of cmd prompt you can see it says "isVM: no" xD
maybe it's called "Blank Grabber" because it puts the data in a folder with an invisible name.
im pretty sure its supposed to be named after the username of the creator, blank-c
@@UCILaGtQaYAh3wnkvg4Rxzqg Oh, that makes sense
"The most powerful stealer"
*It can't even grab Discord tokens correctly.*
(I know it from one person that I've targeted and took down their stealers)
You got one info wrong. Blank grabber injects itself into Discord only for capturing discord related data like added payment data, changed password and Login token. It does not use discord injection to get presistence on the system and uses like most stealer the auto start folder to stay on the system. If you remove the stealer from the auto start folder, the stealer is also gone, and only the discord injection stays, which keeps montioring discord for passwords, payment info and new tokens.
Mama Mia! My Italian countryball collection is at a-risk!
stealers are getting more and more popular bc of ppl stupidity
thanks for getting rid of the background music again
man what are you talking about. The background music kinda perfects it. I'm sad he changed to this from his last couple uploads.
@@yonice got his ass 🤣
10:25 there's just a rarreg.key file right there lmao (winrar activator)
They even give a free WinRAR key. how nice of them.
A question, If you change your windows user to one of the blacklisted usernames, will that mean the stealer will not proceed?
for example, my pc name is blahblah123 and one of the blacklisted ones is ralphs-pc
theoretically, if i change my name to ralphs-pc does that mean the stealer no longer affect me?
against this specific sample yes. The problem is those blacklists are not all that consistent.
Same idea as cyberscarecrow. Anti analysis isn't all that consistent.
"most powerful" :^)
you mean Shouko :^)
Id love to see a video on setting up a new Windows PC and the best programs to keep it safe. Your expertise would be super helpful, especially for those just starting out with IT and PCs. There arent many legit videos on that topic, so yeah.
If you're not on linux already, you've already lost. Windows only belongs in controlled environments such as VMs.
There is a reason I am not on Linux at least for me there are some games that don't work on Linux and some software that does support Linux entirely for example here is a software that doesn't support Linux that I use wallpaper engine, and a game example is dark and darker these don't work and probably will never maybe dark and darker but I will have to see, and some games detect VM's and whatnot so its impossible to run a VM to play some games that only support windows plus EPIC Games not supported so... I can't make games nor is RPG maker another program I frequently use (sorry for the rant on this)
@@thetrueshadow9227 Yeah, compatibility issues ARE a real hassle. Thanks for sharing your experience!
the John's are celebrating right now
stealer infects discord? yeah they tend to do that
The stealer has a new github which is where it is continued btw
I like waking up 10 minutes earlier (so I can eat breakfast) the Eric posts. W MORNING
Hey Eric, I know this is not at all related to this video, But it would be cool if you could show off how to hide a virtual machine from programs that it is a virtual machine. I am using windows and am trying to run Fortnite on an emulator but EAC prevents the use of virtual machines.
He made a video a little while back on this. For your use case, give up. EAC is kernel level, and spoofing it would be hell (and would 100 % get your account banned)
@@EZX280 Not for my account
@@EZX280look for VFIO.
If anyone has figured out how to, it's the Linux VFIO community
Could you make a video on how to protect browser cookies and or session tokens?
the true best way to protect yourself is to not download sketchy files and listen to windows defender/smartwall when they warn you 😊
@@slpyOb WD is the easiest AV to bypass even Malwarebytes is even more easier to bypass
I use brave though so its chromium based and I like brave
When I got hacked windows never told me anything, and how I got hacked was from remote desktop and UAC bypass by a GitHub (file from git pulling) now has been taken down and I've always scanned files but now since that happened I scan my computer at least 4 times a week even when download from official sites like Microsoft just in case 😁
@@thetrueshadow9227brave sucks. Watch Someordinarygamers video on it.
Thank you so much for making the video❤
Eric, on a old cd from a old czech click! Magazine i found a trojan, if i send it to ya will you review it?
If he doesn't see this comment, I'd email them asking if they want it
That could be interesting, you can send via email.
Is possible that it's a false positive.
@@EricParker eset flags it as a trojan, it even shows the trojans name but i dont remember it, btw the cd is from 2006
as far as i know "John-PC" is some kind of Sandbox from i think it was Avast
The good thing about black hats installing VMware protection is they can't hit you if you're using a VM as your main
Or make your main install look like a vm
i wanna know what software you use to check the internet stuff that happens, if you even use one, of course
The software that is shown in the video is the web interface of "mitmproxy" software.
And wireshark
oh, thanks
Hi eric I haven’t been here for too long, but I can already say your channel is the best on CZcams. I enjoy your content a lot and it’s great that you’re posting more frequently.
Hey, thanks for making a video on this, I'm the server manager for a server with over 130k members on Discord, we experience the problem of members being sent viruses and the biggest amount of them are blank-grabber. We usually delete the webhook on it by simply getting the webhook from the code of the virus.
what server?
Hello! How does the NightfallGT/Lunar Grabber work? Nice vid btw
hey my hitmanpro scans when i boot up my pc tells me my userinit.exe file is suspicious and its 128kb large is that normal, if I scan it with something else it says its fine
@@wlanverbot it should go away after a reboot, You can also check the details to see what is it being detected as and by what av motor if available
anyways to hide process hacker from another softwares ?
rename the process lol
@@Luna5829 you got brains i could NEVER have guessed that
@@Luna5829 how you do that?
Jo, buddy. This discord stealer is using almost the same code to bypass UAC as the malware in the other video of yours called "Remote Control Any PC With Discord".
but instead of an "If/else", it's using "case". And now I am trying to block any outside access to my "%localappdata%\discord" directory, brb. I wonder, if I can pull that off.
What anti malware/virus program do you use or suggest?
A user is the best anti virus.
not downloading sketchy shit
1.) dont be an idiot.
2.) windows defender
3.) seriously, just pay the fuck attention to what the fuck you're doing
@@hahahahaha7237 Single handedly the best response for this type of question.
@@hahahahaha7237possibly the best answer I’ve ever seen to this question
@NoTextToSpeech your time
fr i didnt see ur comment, but i said he should try to do a collab lol
The Discord uninstaller does rather messy uninstallations, so simply just uninstalling Discord might've worked for this stealer, but more nefarious stealers might persist in a file that doesn't get wiped by the uninstaller. Would definitely recommend deleting the discord folders in "%AppData%" *AND* "%LocalAppData%" (Discord stores stuff in both these locations).
Even then, it would need to hook itself back into discord so it could be executed again... Maybe the malware could make a task to reinstall itself once the uninstaller is executed and then delete said task once discord is back on the machine but it's definitely not that stealthy.
@@someguy9175 As I said, Discord's uninstaller is messy and leaves lots of files behind that the malware can inject to and will allow it to persist past a regular uninstallation.
The index.js file shown in the video isn't the only file that can be injected to.
Genius! I'm going to get my cookies deleted and have to log in every time!
Bravo, bravo.
*Discord* is a mine field of 'em.
*Discords* not far from how *facebook* were in the early 2010 Nowadays.
It's sad seeing all the bots in Growtopia. Shame Hamumu hates the game so we wont see Seth and Hamumu working on it after they sold the game to Ubisoft Abu Dhabi..
oh yt notifications actually works
FOR REAL
Does this work on Linux?
Stealers like this? Generally no, since they often rely on Windows specific DLLs via ctypes, or the win32 library for a lot of their functionality.
But that doesnt mean Linux is safe from it. Someone absolutely could write a stealer that works in both places.
It's just significantly less likely that you'd find one due to the nature of most Linux users literally never using random binaries lol
In the eyes of most stealer devs, they find it easier to target more gullible and susceptible people (Windows Users)
And not as worth it to target Linux which requires different methods for a lot of the same functionality, with diminishing returns.
@@Floriemene It's so dumb - right a stealer in Python, and they made it rely on ctypes. Whoever made this seriously denied the choice to make it crossplatform and still wrote it in Python lol
I was just playing growtopia and the servers went down lol
That game is still alive??
@@jeevacation It indeed is, filled with bots from Indonesia on other third world countries.
@@jeevacation The servers are constantly down and flooded with bots, the game's currency is fucked and inflation is pretty bad, over 80% of active players are bots or casino hosters and the devs don't give a fuck, since the game is owned by Ubisoft, since 2017.
@prodfulcrum16 yeah it was good when S&H had it, ubisoft ruined it by milking it.
I remember seeing new locks all the time lol
I think I first played it in '15 or '16
@@jeevacation yeah, it brings me a tear imagining how the game was around 2013-2016, since I started playing in 2013 christmas being 7 years old :D
not the browser history 😭we must leave
What the open source
please use dark mode
no it's less readable
lol fr, my eyes are already itchy cuz im sick.
@@JessicaFEREM the windows is zooming like 150% rn
@@JessicaFEREM mfr got astigmatism and making it our problem.
Got to get uses to those flashbangs somehow.
they really said "Most Powerful"
Bro chill with the uploads
babe, wake up eric parker posted a video
Good vid
You should try to collab with @NoTextToSpeech to explain this and how to detect it and how to avoid it, although he will probally make a video on his own as soon as he finds out about this stealer
it's been out since 2021 lmao
you avoid it by not downloading junk.
haha blank grabber detected
This thumbnail AB testing is getting annoying. Saw this on my homepage earlier with a different more green thumbnail, but I didn't have much free time just setting up a playlist for the drive...now when I come back I have to scroll and scroll just to find out the green thumbnail I was looking for is gone and its white now. I didn't avoid clicking earlier because of the thumbnail, it was just a free time thing. But now YT takes this info as the new thumbnail got me to click.
Thanks
ntts mentionf letsy goo
Very scary indeed. That’s why I always avoid logging into things I don’t really need on windows. Can’t steal login cookies or session tokens that don’t even exist 🤓
you havent heard of growtopia??????
Not everybody in the Internet ist a 12 y old roblox kid. We have better things to do
@@electricz3045 Growtopia was released in like 2012 though, lmao. And it was fairly popular up until around 2018-2020.
The reason it was checking for passwords for that game was because the scene basically had a black market and irl trading scheme where accounts and stuff were being sold for real money.
That's still going even today as far as I know.
@@electricz3045 i'm not a 12 year old roblox kid and i've heard of it lol
had you ever used android a few years back you'd have been recommended it
Growtopia mentioned no way
15th
Why eric u looking forward to every thing im using :((
you suck
exposed
yay
w video
1M subs soon
thanks andrew tate
add some chill background music to these videos
man what are you talking about. The background music kinda ruins it. I'm glad he changed back from his last couple uploads.
It takes away from the minor mic cutouts that I live for
zoomer
@@KoDi82 it was just a suggestion as the context of these videos is interesting but the delivery can be rather boring, some sound other than plain talk definitely improves the atmosphere, though im not gonna argue with youtube comment warriors
Powerful, no kidding.
"Akeo Consulting" should be Rufus' signature.
Growtopia is a pretty old mobile MMORPG acquired by Ubisoft who did not care enough to patch the issue that the "save.dat" (practically the login token) is saved in an unsecured state to the game directory. These accounts still sell for some money on the game's black market, so it makes some sense to have it check that way.