A recent report from cybersecurity firm Trend Micro has detailed the capabilities of a sophisticated Discord “info stealer” malware whose source code they first observed last summer.
The stealer is based on the customizable and efficient “Rust” programming language, a code popular among malware authors. This version targets Windows PC users, the cybersecurity firm’s report said, swiping a variety of user information, including browser data and cryptocurrency wallet keys.
Cybercriminals are spreading it via Discord while also leveraging GitHub Codespaces — a cloud-based remote software developer portal launched last year — to host it, run their central hacker server, and exfiltrate any data it collects.
Trend Micro’s Senior Cyber Threat Researcher Jaromir Horejsi told VPNOverview that the company is continuously updating its threat signatures to keep up with adaptive cybercriminal techniques, such as posting malicious software on cloud-based developer platforms.
Stealer Targets Range of User Data
The info stealer, according to Trend Micro, targets various user data such as:
- Browser data
- Cryptocurrency wallets
- Discord data
- Steam data
- System information
The stealer can extract passwords, cookies, and financial data from a broad list of popular browsers, including Google Chrome, Yandex, Brave, and many others that are Chromium-based.
It looks for specific deep-system locations to lift crypto-wallet keys from a user’s device, extracts Discord tokens to impersonate victims, and takes Steam gaming configuration files and users’ OS operating system information.
Stolen data is then uploaded by hackers to the file-sharing platform “gofile.io,” Trend Micro noted.
“The subsequent exfiltration to the attacker’s webhook on GitHub Codespaces is a critical concern, posing a significant threat to victims’ privacy and potentially leading to substantial financial loss.”
Hackers Abusing New GitHub Cloud-Based Developer Environment
Though Discord malware has been around for some time, an earlier entry about the info stealer by the same researchers noted that hackers quickly found new ways to abuse a newer attack pathway — GitHub Codespaces.
Hackers were observed “leveraging exposed ports on a CS [Codespaces] instance to exfiltrate credentials from an infected machine,” the report said.
The report also describes how the info stealer can be disguised as an application, platform, or as “a popular video game.” While the name of the game was not revealed, it is possible that Trend Micro alluded to extremely popular games like Fortnite, which have been targets of similar attacks in the past.
Sophisticated Malware Campaign Combines Discord and GitHub
“Our findings point to cybercriminals developing more advanced tools specifically targeting [Discord] users, which could be indicative of a mounting number of sophisticated attacks on Discord in the future,” Trend Micro said.
Leveraging Discord — where a single Discord server alone can host millions of users — together with exposed ports on the GitHub Codespaces developer portal is evidence that cybercriminals intelligently adjust their tactics to maximize illicit profits by exploiting users’ personal information while evading detection.
Very often, information harvested by hackers is sold on the dark web for varying prices, even in the form of stolen identity kits.
Trend Micro’s Security Suggestions
In an email, Trend Micro offered straightforward recommendations on how to steer clear of novel info stealer campaigns, which include using exceptional password hygiene and maintaining heightened awareness surrounding everpresent email phishing schemes.
“Do not download and execute files from suspicious locations, do not click on suspicious links (usually delivered by email), do not execute email attachments from unfamiliar senders, do not ignore security warnings displayed by your operating system, keep all software up-to-date, use anti-malware solution, use strong unique passwords, do not reuse passwords,” Horejsi told VPNOverview.
Platforms like GitHub Codespaces should “promptly delete/restrict/block such malicious instances,” he added, and be aware that hackers may continue to try to sneak malicious content on such portals.
We recommend you protect yourself from trending malware, such as info stealers, with a real-time antivirus solution for your PC that will run in the background on your devices whenever you use them. A real-time AV will quarantine malware before it has the chance to infect you.
Finally, also have a look at our list of the most malware-infested games of 2023 and how to further defend against this ongoing attack vector.
