TroubleGrabber, the newest in a line of credential thiefs, spreads via Discord attachments and utilizes Discord webhooks to hand over stolen data and details to its users.
Discord is an IM, circulation, and voip platform developed for developing communities, which facilitates communication through voice calls, video calls, text messaging, media, and files in public and private chat.
TroubleGrabbers bears similarity to AnarchyGrabber, another credential -stealing Trojan, though it appears to be carried out in a different way. TroubleGrabber is composed by a private named “Itroublve” and is currently used by several threat stars to target Discord users.
TroubleGrabber Malware Target
TroubleGrabber has resemblances to different password and token stealer households like AnarchyGrabber, which is a malware that takes passwords and user tokens, disables 2 Factor Authentication, and spreads out malware to the victims Discord server. But still, this is a completely brand-new execution and does not seem linked to the same group..
TroubleGrabber was first found in October 2020, when more than 5,700 public Discord attachment URLs hosting harmful content mostly in the type of Windows executable files and archives were found.
Using cloud apps for preliminary shipment.
Utilizing cloud apps for next stage payload shipment.
Using cloud apps for command and control.
Taking cloud app credentials.
FinSpy Malware Attacking iOS and Android Devices to Steal Personal Information.
RATicate– Hackers Group Launching an Information Stealing Malware through Remote Admin Tool.
TroubleGrabber the new kid on the block is yet another credential-stealing malware that makes use of the trust users position on the Cloud apps. Does this kid mature or go away? Only time will inform.
Fig 1. Breakdown of leading 5 detections of malware samples provided to Discord and including Discord URLs (Ref Netskope) The detections are mostly connected to 2 groups of malware specifically GameHack and TroubleGrabber, with Gen: Variant.Mikey.115607 and Trojan.GenericKD.43979330 coming from the previous group, and the others to the latter.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Representation of TroubleGrabber attack kill chain
TroubleGrabber is provided to the victims maker through a Discord accessory link.
TruoubleGrabber then uses Discord and Github for downloading the next stage payloads to the victims device..
The payloads take victims credentials like system information, IP address, web browser passwords, and tokens and sends them as a chat message back to the enemy through a webhook URL.
TroubleGrabber shows up mainly by drive-by-download, takes the web internet browser tokens, Discord webhook tokens, web internet browser passwords, and system information. TroubleGrabber primarily targets players, based on the file names and shipment system.
Here you can see the most 4 typical techniques of TroubleGrabber:.
TroubleGrabber is the most recent example of malware that abuses cloud apps throughout every phase of the kill chain.