PirateStealer is a Discord Token/Password grabber that generates a packed node.js executable which injects code into your Discord instance. The code is available on Github. The executable often has the node.js icon.
|Language||Malware in Node.js, Builder in C#|
|Obfuscation||Optionally obfuscated with obfuscator.io|
|Behavior||Discord Token, Email, Password, Saved Cards|
|Lasting Effects||Runs within your Discord instance.|
|Send Method||Discord Webhook, optional API proxy|
The builder allows you to optionally enable obfuscation, which runs the code through obfuscator.io. The Injected code is also obfuscated. The unobfuscated version is publicly viewable on GitHub.
When the executable is ran, it checks your %LOCAL% dir for directories that include "iscord" in the name. Then it goes through each folder and checks for files matching "\app-*\modules\discord_desktop_core-*\discord_desktop_core\index.js". The malware then executes `tasklist` to find running processes named Discord.exe, DiscordCanary.exe, DiscordDevelopment.exe and DiscordPTB.exe, and if configured to do so, it will kill each instance that it found. If not configured to do so, this list is still populated but is unused. After optionally killing open Discord processes, the malware then downloads the obfuscated payload from GitHub and writes it into the index.js file in your Discord installation. If the malware is configured to log you out, a folder is created called "PirateStealerBTW". The existence of this folder is checked for by the malware and it will not run the second stage of the payload if that folder exists. If it finds the folder, it will delete it. This appears to be used to delay the logout with certain config values, but does not work correctly due to a logic bug.
At this point, Discord is relaunched if it was killed and if configured to do so you are logged out. The second stage malware hooks into the onHeadersReceived event on the Discord client and checks for the webhook URL, if found it modifies the content security policy of the outgoing requests to allow all origins and headers. If the request is not the webhook, the content-security-policy and content-security-policy-report-only headers are cleared, and the access-control-allow-headers header is set to '*'. It is not known what purpose this serves.
The malware then retrieves the user's Login token and sends the outgoing webhook. The user's profile is then retrieved and sent as a second webhook message. When the user logs back in, the users username and password are logged and sent to the webhook. If the user has MFA enabled, the user's backup codes are requested and sent. The user's IP, friends list and payment sources are all logged at this point and sent as a third webhook message.
If the user changes their password whilst the malware is still present, the new password is logged along with the information sent in the login webhooks.
How to Tell if Your Machine is Infected
If your machine is infected, the file located at C:\Users\YOUR USERNAME\AppData\Local\Discord\app-DISCORD VERSION\modules\discord_desktop_core-A NUMBER\discord_desktop_core\index.js will contain something other than "module.exports = require('./core.asar');". Removal requires a full uninstall and reinstall of Discord.