Malware Builder Leverages Discord Webhooks

On April 23rd, 2022, a Discord user with the handle “Portu” began advertising a new password-stealing malware builder.

Malware builders are programs which so-called script kiddie hackers can craft their own executables on top of. Script kiddie is cybersecurity parlance for a novice hacker who uses a preexisting code to slightly modify it for their own nefarious purposes.

Four days later, threat analysts from Uptycs discovered the first sample of a Portu-inspired malware sample in the wild researchers dubbed “KurayStealer.” According to researchers, the malware has been used to target Discord users.

How KurayStealer Works

The author behind KurayStealer has clearly taken inspiration – and code – from those other attacks. “We have seen several other similar versions floating around in public repositories like github,” the researchers noted, concluding that “the KurayStelaer builder has several components of different password stealers.”

When it’s first executed, KurayStealer runs a check to determine if the malicious user is running the free or “VIP” (paid) version.

Next, it attempts to replace the string “api/webhooks” with “Kisses” in BetterDiscord – an extended version of the Discord app, with greater functionality for developers. If this action is successful, the hacker can undermine the app in order to set up webhooks.

Webhooks are a mechanism by which webpages and applications can send real-time data to one another over HTTP. They’re like APIs, the key difference being that webhooks send information automatically, without the need for a request from the receiver.

With webhooks in place, the program takes a screenshot and grabs the geo-location of the target machine. Then it begins credential hunting: probing for passwords, tokens, IP addresses and more from Discord, Microsoft Edge, Chrome, and 18 other apps. Any data scoured in this process funnels back to the attacker via the webhooks.

What We Know of the Author

Script kiddies are rarely subtle.

Within KurayStealer’s code is a reference to who wrote it: “Suleymansha & Portu,” and an invite to a Discord channel run by the user “Portu#0022.” Portu#0022’s profile contains a link to their profile on Shoppy – an ecommerce platform – with samples of other malicious programs. It also points to their YouTube channel, which used to have a video up that demonstrated how to use KurayStealer. The channel is barren now, but for a cartoon profile picture and an indication that Portu is from Spain.

On April 26th, Portu announced they were working on a new ransomware program. “Based on the announcement and the observations,” the researchers concluded, “we believe that the authors might come up with newer versions of password stealers and other malware.”

“Our research on KurayStealer backed with OSINT highlights the rise in prevalence of password stealers using Discord tokens as a C2 for harvesting the victims’ credentials. Enterprises must have tight security controls and multi-layered visibility and security solutions to identify and detect such attacks.”