Spidey Bot Transmutes Windows Discord Client Into Backdoor

Delaware, USA ā€“ October 24, 2019 ā€“ The new malware is supposedly spreading through Discord, and simply removing the malicious file is not enough to clean the system. Spidey Bot was discovered by MalwareHunterTeam, the malware modifies the Windows Discord client transmuting it into an infostealer with backdoor capabilities. This is possible because the Discord team used electron framework for the desktop app that leverages web technologies: JavaScript, HTML, and CSS. Spidey Bot changes the appā€™s core files adding malicious script and restarts the Discord to apply changes and run new scripts. The infected application collects info about the system, Discord, browsers, and the first 50 characters of the clipboard and transmits it to adversaries. After that, Discord starts working as a backdoor: it uses fightdio() function to get further instructions, so attackers can run commands on the infected system and drop the next stage malware. Since Discord functions are used to perform malicious actions, the victim does not suspect an attack and deleting a file that infected the system will give nothing but a sense of false security.

Discord is a freeware app designed for the video gaming community and used by over 250 million users. It is still unknown who is behind Spidey Bot and for what purpose it infects Discord users. Recently, gamers have attracted the attention of APT groups and become victims of cybercriminals. Having gained access to the home system, attackers can collect the necessary information and credentials to compromise the corporate network, or at least install a cryptocurrency miner if the system is not of interest. You can detect signs of abuse or unauthorized access to the VPN service and enable real-time tracking of VPN connections with your SIEM and content available on Threat Detection Marketplace: https://my.socprime.com/en/integrations/vpn-security-monitor