Security researchers observed the “AnarchyGrabber3” malware modifying the Discord client to steal its victims’ plaintext passwords.

As reported by Bleeping Computer, a threat actor released a new version of the AnarchyGrabber malware family called “AnarchyGrabber3.” This Trojan variant modified a Discord client’s %AppData%\Discord\[version]\modules\discord_desktop_core\index.js file upon successful installation so it could load JavaScript files. It first loaded inject.js, a script that then called in discordmod.js. Together, these two scripts logged the victim out of the client and prompted them to reauthenticate themselves.

The modified client preyed upon its victims by attempting to disable two-factor authentication (2FA) on their accounts. It then stole various information from the victim including their login name, email address and even their plaintext password. Simultaneously, the client listened for commands sent by the attacker. One of those orders instructed the client to send a message to a victim account’s friends, thereby helping to spread the malware to even more Discord users.

A Look Back at AnarchyGrabber

The emergence of AnarachyGrabber3 marks the latest development in a still-nascent family of malware. It was back in November 2019 when security researchers such as MalwareHunterTeam first spotted the malware using a Discord webhook to steal victims’ tokens and send them off to its handlers. In April 2020, Bleeping Computer learned of a new variant of the threat that modified the Discord client so that it could evade detection while stealing user accounts.

Defend Against an Infostealing Discord Client

AnarchyGrabber highlights the dangers of users reusing their passwords across multiple accounts. If the malware preyed upon employees who had reused their Discord passwords across multiple sites, for instance, attackers could authenticate themselves on these services and abuse that access to commit identity theft, perpetrate credit fraud or conduct a series of other secondary attacks.

In light of those risks, security professionals should lead the charge in their organizations to discourage users from reusing their passwords. They should leverage ongoing security awareness training to teach the workforce about this security best practice. Simultaneously, teams should augment their employees’ account security by requiring them to activate multifactor authentication (MFA) whenever it’s an available option. Threats such as AnarchyGrabber3 might attempt to disable that layer of protection, but they might not be successful. This feature could also help to safeguard employees’ account access when confronted by less sophisticated threats.