Everyone's favourite voice chat app is being subjected to a problematic trojan malware that's rudely stealing passwords from users and then spreading that same malware to a victim's friends as well.
Discord is generally an easy-to-use, free voice and text chat app that's easy to set up and use with friends. It's also customisable with plugins, bots and more. Users can setup their own servers or join pre-existing ones. But this latest threat shows how important it is to be cautious when using the program.
Bleeping Computer reports that a trojan known as AnarchyGrabber is not only stealing user's passwords, but also automatically disabling two-factor authentication and then attempting to trick other users into downloading the malware as well.
The trojan is initially pitched to users as either a game cheat, hacking tool, copyrighted software or some other digital treat. Once Discord users fall for the trick then the real nightmares begin.
Passwords snatched by the AnarchyGrabber trojan are acquired as plain text and uploaded to the attacker's own servers. These can then be used to compromise the victim's other online accounts - which is why it's so important to use a unique secure password for each site you visit.
This trojan only needs to run once and the way its setup means that it's very difficult for antivirus software to detect and combat.
How to check if your Discord is compromised
Luckily it's easy enough to manually check if your Discord has been attacked. If you've seen some warning signs that you might have been impacted, for example by being logged out of your account for no reason, then follow these steps.
Open Windows Explorer and visit this location:
You'll need to manually navigate to that destination as it's different depending on your Discord version (but should look something like this C:\Users\<user>\AppData\Roaming\Discord\0.0.306\modules\discord_desktop_core). Once you're there, look for a file called index.js.
Right click on index.js and click to open it with notepad. If you're clean then you should see a single line of code in that file that reads:
module.exports = require('./core.asar');
Anything beyond that likely suggests you've been compromised. Fortunately, you can remove the trojan by uninstalling and reinstalling Discord. If you have been attacked, then we'd highly recommend updating your passwords - especially if you've reused your Discord password elsewhere.
Take care what you click on folks! Even links from friends can be dangerous.