Cyble-Hazard-Discord-Token-Stealer

Hazard Token Grabber

Upgraded version of Stealer Targeting Discord Users

Cyble Research Labs has come across a new strain of malware performing stealing activities named Hazard Token Grabber. The initial version of Hazard Token Grabber was spotted in the wild in 2021, and we have observed an upgraded version now, which Threat Actors (TAs) are using to steal the user’s data. Both versions are available on GitHub for free.

During our OSINT threat hunting exercise, we came across over 2000 Samples related to this stealer present in the wild. Most of the samples seen in the wild are the actual Python source code of the malware used for compiling the binary, indicating that the malware has been used on a large scale. Interestingly few of the samples had either low or even zero detection.

As per the statement made by the Threat Actor (TA), it appears that an upgraded version of Hazard Stealer can be accessed by purchasing it on their Discord server or website. This indicates that the malware present on GitHub might not be that evasive, and the TA has only uploaded it there for advertisement purposes. Figure 1 shows the statement made by the Threat Actor.

Figure 1 – Statement made by TA

The number of samples related to Hazard stealer has increased significantly in the last three months, as shown below.

Figure 2 – Stats of the sample submission in VirusTotal

The figure below shows the file details of one of the recent samples we analyzed.

Figure 3 – File Details

Technical Analysis

Builder:

Hazard Token Grabber is developed using Python, and the builder of this stealer supports Python version 3.10. The builder is a simple batch file that helps generate the payload and convert malicious Python script to a .exe file using Pyinstaller.

Figure 4 – Hazard builder

Payload:

The malware exfiltrates the data to a Discord channel using webhooks which can be modified through the configuration settings. The malware configuration also contains Flag variables and a list of programs to terminate during execution, as shown below.  

Figure 5 – File Configuration

The malware copies itself into the startup location to establish persistence and creates a random directory in the %temp% to store the stolen data.

Figure 6 – Creating a folder in the Temp directory

Upon execution, the stealer checks the configuration settings and creates a list to append the function names whose flag is set to TRUE. After this, the malware creates a thread for each function present in the list to execute the malicious code parallelly.

Figure 7 – Multithreading

Anti-debug:

The malware performs various checks to prevent debugging and terminates itself if malware is being debugged. The malware has a list of a few hardcoded values such as hardware ID, PC names, and usernames to exclude them from infection. The figure below shows the hardcoded lists

Figure 8 – Anti-debug check

The malware also checks for the disk size of the victim’s system. If it’s below 50GB, it terminates itself. It then reads the following registry keys for identifying the Virtual environment.

SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc 2> nul”)

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\ProviderName 2> nul”)

Figure 9 – Query registry

Data Harvesting:

The malware then proceeds to scan for the presence of a Discord token protector, something that protects Discord tokens from malicious grabbers. To evade this, the malware checks for the presence of certain files such as DiscordTokenProtector.exe, ProtectionPayload.dll, and secure.dat. If these filesare present in the DiscordTokenProtector directory, the malware removes them. After this, the malware also modifies the config.json file present in the DiscordTokenProtector directory to bypass the token protector. 

Figure 10 – Bypassing DiscordTokenProtector

The Hazard token grabber then bypasses the BetterDiscord by replacing the string ‘api/webhooks’ with ‘RdimoTheGoat,’ as shown below.

Figure 11 – Bypassing BetterDiscord

Using the subprocess module, the malware spawns PowerShell for fetching the Windows activation key and product name by querying registry keys shown in the figure below. The malware then steals this data for exfiltration. 

Figure 12 – Spawning PowerShell

This malware targets over 20 applications with the express purpose of stealing Discord tokens which include:

Discord, DiscordCanary, Lightcord, DiscordPTB, Opera, OperaGX, Amigo, Torch, Kometa, Orbitum, CentBrowser, 7Star, Sputnik, Vivaldi, ChromeSxS, Chrome, EpicPrivacyBrowser, Microsoft Edge, Uran, Yandex, Brave, Iridium and Mozilla Firefox.

This grabber steals cookies and login credentials from the chrome browser only. The stolen credentials contain Domain, Username, and Password. The stolen data is saved in a text file which will be copied to the random folder created initially.

Figure 13 – Stealing data from Chrome browser

The malware uses the API hxxps[:]//discord.com/api/v9/users/@me and appends a Discord authorization token to identify Account information, such as email, mobile, and billing-related details. It also identifies the badge associated with the Discord account and writes all the harvested information into “Discord Info.txt”, as depicted below.

Figure 14 – Harvesting data using discord developer’s API

The Hazard token grabber reads the following registry key:

SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

to steal the Roblox studio cookie and writes the stolen data to the “Roblox Cookies.txt” file.

Figure 15 – Stealing Roblox Studio Cookies

Data Exfiltration:

Hazard token grabber sends a request to hxxps[:]//ipinfo[.]io/json to identify the victim’s IP and Location. It also finds the victim’s Google Maps Location. The malware does not write this data to a file but instead sends this as a message on Discord.

Finally, the malware compresses the stolen data and exfiltrates it using webhooks specified by the TA.

Figure 16 – Data Exfiltration

Conclusion

In the course of our analysis, we witnessed some samples of Hazard Token Grabber, which were fully undetectable. As the stealer is also available on GitHub, it’s possible that other TAs can also utilize its source code to create a variant of this stealer. Hazard stealer has the capability to steal data from multiple applications; however,  considering its specific functionality, the primary target appears to be Discord users.

Our Recommendations:

  • Avoid downloading applications from unknown sources.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Update your passwords periodically.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems. 

MITRE ATT&CK® Techniques  

Tactic Technique ID Technique Name 
Execution  T1204 User Execution 
Defense Evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Credential Access T1555 
T1539 
T1528 
Credentials from Password Stores
  Steal Web Session Cookie
  Steal Application Access Token 
Collection T1113 Screen Capture 
Discovery T1087
T1518
T1057
T1124
T1007
T1614 
Account Discovery
Software Discovery
Process Discovery
System Time Discovery
System Service Discovery
System Location Discovery   
Command and Control T1071Application Layer Protocol 
Exfiltration T1041 Exfiltration Over C2 Channel 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
2e434a36c1c3df178e3d19a66e871144
d079bcd90c03088e9c5e77084f8e4c385557db6b 2441f2df1789cfc48a170a7927d73b98d8676a65eb81f3b068e4c76c3b85e77a  
MD5
SHA1 SHA256
Payload
7fdc0515d98ff7d113ce68cccf29ae12
3f4966ec6ecc8973702f32e51eb766dda737f2d0 4ac15d15ff16919a08770265c074e8e89b21c9b61ce6348072aa719e80b5ed06  
MD5
SHA1 SHA256
Payload
c2ea16d8bfec78e1b2bf4322df0f63bd
083f1d520e8524d778e1c52b4cbdd5986ca6365c 6925d86fdedff2065c33df7806ba231d0d1c8f2d5246f1cad343f37fee54fe29  
MD5
SHA1 SHA256
Payload
Scroll to Top