Malware & Scamming | BETA Profile Customization
Hey Everybody,
I've recently discovered users posting countless videos or "methods" that miraculously grant you access to obtaining the Discord Profile Customization Beta.
This specific user: sub = good day
Can be seen posting videos about a modified Discord Client, of which apparently grants you access to this beta if you didn't have it before. The same user will literally delete any comments on the video that attempt to warn people its malware.
And quite obviously, this seems quite sketchy off the bat. So I decided to put it under a VirusTotal Scan, and as I thought it came back with pretty expected results.
Not only does the sheer amount of Antivirus flags it creates concern me, but it also seems to be accessing a discord webhook?
[Results]
Its quite worrying how many people could be downloading malware unwillingly,
so I made this post to create, I guess some awareness in the community.
And maybe confirmation from the Discord Team that accessing something like this officially; isn't possible, so people won't fall for this type of stuff in the future.
Thats all aaha,
- Ham :)
-
Well then, I'll help you get rid of this guy! I've spoken to YouTube and will be contacting Discord shortly. It is concerning how many people could be falling for this trick, and I've also analyzed the file myself.
Thanks Ham!
0 -
Howdy Ham I'm back.
I did some more research on this, and it doesn't seem to be malware. All though, its still against TOS. If you'd like to discuss this, please add me on discord. PickleArmy#0001
0 -
Hey PickleArmy,
I admire your willingness to investigate this issue,
but what led you to believe that this file is safe, and that it is completely harmless towards your PC?
I can guarantee this file will infect your computer, thats why I created a post about it in the first place.
Reason being:
#1 The file name is 'DiscordCanarySetup.exe' whereas the discord canary installer name is actually just 'DiscordSetup.exe'
#2 The VirusTotal which clearly shows that it flags many antivirus'
#3 If you try to download the file, with windows defender active, it blocks it (now this could just be a false flag, but I'm kinda doubting that at the moment)
#4 The author's youtube channel only contains these videos, and looks to be sub, view, comment botted.
#5 Any comments accusing the users youtube channel, or this 'modified' client of being malware, are deleted.0 -
I believe the file is obfuscated. I think what's happening here is that the antivirus' cannot read the code making it, which in that case the file would be obfuscated. I read the code myself, and it seems normal all though its in an experimental version making it vulnerable. BUT: I'm not sure why its obfuscated, that just makes people even more suspicious about it.
As for the file name, my canary is DiscordCanarySetup.exe, and I had obtained that from the official site.
I also think windows is blocking the file because its in an experimental version.
Other than that, it could be a malware, but I don't believe it is. Either way, its breaking ToS because its modifying your client like BD.
0 -
Hello again,
Huh, thats odd.
The Discord Canary Version I download, from here,
Is named DiscordSetup.exe? I'm unsure maybe you're on a different platform than I am, so its downloading another version aha.
If it's being blocked because it's experimental, then why isn't the unmodified discord canary setup being blocked and flagged? I suppose it may be because the official download is signed and trusted by Microsoft, I'm unsure though.
Also yeah, I agree; why would it be obfuscated. Though you said you'd look at the code, but how?
Unless you're willing to reverse the obfuscated code, then you won't nessacairly be able to find anything.
Also it's still super fishy how comments are deleted on the video the instant they are posted. It hints the owner is attempting to hide something.
If you take a closer look at the VirusTotal, you can see that this Modified Discord Canary is accessing and executing Python Scripts, it also seems to be importing and using ADVAPI32.dll, of which stands for Advanced Windows 32 Base API. This API can be used to obtain the System Admin tokens, and therefore takeover your system. The official version of Discord doesn't even touch ADVAPI32.dll or do these types of things.
AND the modified client, also terminates SVCHost.exe (Windows Service Host), Why??
Grabbing Token:
I'm not even going to go into this, but its also editing and deleting SO MANY Registry Keys, and these are the registry keys that if modified by a program, can be instantly deemed malicious. HERE
0 -
Hm yes, I do see that now. I suppose I should've looked at the behaviour on Virus, I didn't check that. You are right, anything that is modified by a program is instantly malicious, and I do believe that the file is malicious, and if it wasn't, why would it be obfuscated, there would be no reason.
I've forwarded this to Discord about 6-7 hours ago with no response still so hopefully they look into this as its concerning knowing people could have their login tokens stolen.
0 -
Yeah aha,
Alright Awesome, can you let me know how the Discord Team responds; when they eventually do.
I'm quite fascinated by this.
Also I probably would've contacted discord personally about this issue rather than creating a post about it, but I was unaware of where to do so, I couldn't nessacairly find a fitting category in the requests page.
Where did you contact them from? So I know for next time.0 -
Yeah no problem, you can send support requests here: https://support.discord.com/hc/en-us/requests/new
Their system is a little confusing at first, but I did: Trust and safety -> Report abuse or Harassment -> Scams, fraud, or prohibited transactions -> and then from there on its your choice, there wasn't too much option for this specific scenario though.
0 -
Cool, Thanks dude. :)
0 -
Hey Ham,
I contacted Discord and, as usual they cannot tell me anything that happens to the user due to their policy. All though, I checked my activities and noticed that the case is closed, so I went to check if the user was still active on Discord. The person giving the hacks, and the person who had told me about them (working with the person giving hacks) are still on Discord and their accounts have not been terminated.
I don't think any action will be taken here, even though this seems like a major security problem.
0 -
Hello Again,
Yeah thats sort of what I expected, ahh well; at least you tried and they're now aware of the issue.
Also thanks for letting me know!
I suppose this post is now resolved in some aspects, we don't really have anymore to say aha.0 -
Oh and, I just remembered, every .exe file is obfuscated, at least most of them so that might be why.
0
Please sign in to leave a comment.
Comments
12 comments