Unraveling Discord Token Stealer (python MALWARE)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
I received this email it said I downloaded some module or some code but it doesn't work there's no GitHub repository or documentation and I think it's malicious so I've gone ahead and moved this into my flare virtual machine and this is python code if you weren't able to tell hey we're going to use the import syntax and then run certain functions and methods to do specific things however a lot of this is obviously obfuscated it is of course gzip data that is marshaled and then loaded and then executed but there's a whole lot of noise here there are a couple of interesting things I do like the fact that they use the OS dot system method here to install everything that they would need as other dependencies that aren't built in before it goes ahead and imports those all I do want to go ahead and clean this up though what I'm going to do is I'm going to save this into a cleaned dot py file and each of the semicolons for this import statement and with that we could replace this we probably don't need to end up installing all these things because we don't want to detonate this on our own machine but note that yes the indentation Nation did not persist through the email so another import statement and then the exact statement all the way at the end there and then finally for the accept Clause at the very very bottom of the file we will do nothing with a simple pass statement so with that ultimately this is the trigger but now we want to kind of clean up and see what is it actually trying to execute so we need to go see what is passed into this execute function the way we could do that is by simply changing it to a print function but let me change this to another file for us to be able to kind of dynamically just run and play with I'll call this a stage one dot pi and I'll try to just probably remove all the other crap that we don't need right now and don't have installed so let me go ahead and move my try statement I'll remove the accept statement and I'll change this exec into a print and let's see if we could actually get this spat out to us I'll go ahead and open up my terminal I believe that should just be CMD or Commander here in Flair thought I will move into the desktop I do believe I can just run python like that can I not I can Okay cool so let's try and run python with our stage one dot pi and it's spitting it all out kind of a bummer bad arguments to internal function what did you try to do all right I don't seem to be having any success in getting this to marshall.loads uh function call to succeeded with any of my virtual machines however it does work on my host so hey I guess we're playing with fire a little bit living on the edge here but you know what uh that's A-Okay so I do have the test one dot python script just printing out everything as we saw just a moment ago if I go ahead and run this it does give us a actual code object so it does return something and interestingly enough it actually tells me this is file Pi fusgate so I'm curious what that might be we could do some Googling and some research super duper quick but ultimately I want to learn how can I pull out the source code from this file so I am Googling around online looks like I could try to do this with the inspect module and library with get Source uh let's see if that will work here for us I'm not sure if it will but it's worth a try let's go ahead and import inspect and let's say that this is actually the code that ran I'll go ahead and move that and I'll turn off word wrap so we could actually see this code here now what I want to do is I want to do inspect.getsource on that ran variable and let's say I don't know source can equal this let's try and print that out in case we are able to see it with that nice and easy win let's try and run that one more time and it says error source code not available super lame um what else could we do but it does tell me that it is pi fuse skate and that is something we could try to Google and research and go find and I do see one on GitHub that has the same sort of style and structure capital py capital F and then I hyphen in between them and that is apparently a program that allows you to obfuscate python programs here is the GitHub repository and they have a nice little animated demonstration here there is the tool supposedly and if we just kind of watch them doing this thing here what they end up doing is passing in their program with an output file oh and it looks like they actually Tech s for strength oh it's how many times it's going to end up encoding it okay so what does that actually do when they end up returning it out it's oh looks exactly like what we have okay so that must be it what do they do here usage is just as we expect um let's go see how they do this regular Imports lots of pretty pen ASCII stuff not important doesn't matter here's the encode function okay uh so Random choice of a mode Marshall encoded is exactly as we saw with the pi few skate name executable compiled a code object and then they grab the method that they chose if it is been asking they use a specific kind otherwise they just go ahead and compress it as they did and then build up the new code for the portion that matters okay but because this has a strength argument it ends up being uh repeatedly obfuscated 100 recommended oh they do this like over and over and over again here oh nice little update functionality here but strength yeah that is going to be a loop and it keeps doing this over and over and over again well what we could do is try to actually maybe like decompile get the disassembly of all the raw python byte codes like if I did this dot dis of Iran um well that print out what we're actually supposed to see here oh yeah Okay cool so if folks aren't familiar these are the assembly or like the instructions for the C python virtual machine that does specific things when python code is executed uh you'll note that there is a whole lot of other random bytes here at the top because that's going to end up being the next layer that is passed in to what we want to unravel let me see if I can get to the very top of this hopefully hopefully hopefully oh okay I thought I saw a break somewhere yeah here it is so notice if I go to the very top of me trying to run this as we disassemble we'll run this on this code we end up importing Marshall we end up importing lzma and all this is a lot easier to read than regular like assembly correct so import all these store them as what they are and ultimately when we want to start to execute something we end up loading that built-in exec function and of course taking marshall.loads and lgma decompress and with that we basically know what we're going to end up carving out for the next layer here so that is kind of worthwhile I wonder if we could script this and try to automate or Unravel what it did when it tried to obfuscate it if we just keep decompressing it and pulling apart the layers here let's see if we could try that let's uh print out our disassembly and let's split on our exec function correct oh it does not return anything what does that do maybe I can pass this as a bytecode object and then run this on that maybe oh but it might have exec of course yet again inside the innermost one so I think we need to slice it from there to there and that way we can get all of these and then we'll end up kind of carving that back together so let's do exact dot join all of that so put this in a try and accept Okay so now we want to take that new code split it on load const okay that is the bytes okay so we need every line that has a load name oh God oh God okay so now I think I've carved out uh the next line of data now I just kind of need to safely eval that oh yeah it seemed to work I mean I I guess if I'm just trusting my eval which seems like a bad idea but it will break if something's wrong so that seems to be carving it out I mean we can just try to print out each command as it comes okay so it does seem to do it differently each time like I have new values after each one so we could try to do this 10 times assumingly pouring out new data let's go to 100. and then we get a something I don't know what count that is we get to 99 and that's it and that's the last piece so after 99 de-obfuscated portions oh gosh there's a real malware well if we have the malware at this point you know we can probably just kind of save it somewhere else and try to review it I don't know if we'll be able to get the source code enter out of that but it's worth just trying to tee that out to like I don't know Source I guess and that's a lot of stuff here but we can at least take a look at what this thing is uh so noting hey these are all of our import lines nothing all that interesting there are a lot of these kind of as we were expecting with everything else that we just saw but we can make sense of the code here because you're importing all these things you can see which is import name etc etc But ultimately we end up setting some variables with store name to be able to retrieve hey environment variables with the OS library and all of these are kind of their own individual lines or we're creating a list of passwords presumably with pass W and ooh okay we have a Discord web hook already and this is probably going to be a uh Discord token stealer as we would expect yeah okay some constants here uh black cap inject URL with a GitHub user and there we go I don't know what uh this fella is let's take a look at their repositories though because who okay here's black cap inject Discord injection for track all actions like changing password credit card ad and PayPal I actually work on the black cap Grabber and python oh okay let's take a look at that here's the Grabber I'm just presuming the Grabber is going to be the source code to what we're looking at yeah yeah powerful fully detectable tokens to your yada yada and cutesy here is their black cap fully undetectable thing oh they have a Discord totally gonna join their Discord purely educational sense of course of course obviously as features okay you enter your own web hook so anyone else can kind of grab information um oh man I wish I would be able to see the Discord server that they're funneling that web hook into but obfuscation.py this is the exact same code as the freaking pie fuse skate it's just it's someone else's repository that he just put in here look literally you know Pie Face scale with the hyphen it's still the exact same code just slapped into his repo well we were able to like reverse that or at least dig it down to the actual main.pi and this should be yeah these are all the Imports that we just saw these are all the disassembly that we just saw and here are the local roaming and temp things that we just kind of saw in the python byte code but ultimately we want to see how is this thing made in its original source code so they have a configuration file with the black cap inject URL your web hook hang on before we go any further let me get a quick word from today's sponsor I'll be honest I write bad code even though I try to hunt for vulnerabilities and lots of other software I still have vulnerabilities even in my own projects everyone does and that's why I use sneak to scan for vulnerabilities in code dependencies containers and configuration files and sneak helps find and fix those vulnerabilities in real time you can try it and see for yourself you can sign up for free with my link below import your repositories and sit back and let sneak do the work for you it'll find the flaws and vulnerabilities in your own applications check out this prototype pollution vulnerability that sneak uncovered we can see more details about the code path to introduce this vulnerability and even learn more about this kind of vulnerability or any others if you check out the sneak learn lesson I've referenced the sneak learn lessons and their vulnerability database a ton especially in assessments and penetration testing and even during Capture the Flag competitions from there you can see an explanation of a flaw proof of concept exploit code and attack demonstrations and most importantly how to mitigate this vulnerability but the best part sneak helps you fix this vulnerability with a single click it'll automatically open a pull request so you can just merge and move on so seriously check out sneak it's crazy how many vulnerabilities could be affecting your projects and you don't even realize take advantage of the resources and learning material and learn all about the different vulnerabilities out there it's completely free and you can sign up right now with my link in the video description huge thanks to sneak for sponsoring this video hide script ping enabled okay so they configure this presumably and yeah all the things in ours our in fact filled in so someone else has put this here and they also have Bitcoin addresses and ethereum addresses that have been probably being used to replace stuff address replacer yes so it is trying to replace cryptocurrency addresses in the clipboard there's a lot here how recent has this stuff been used okay so still getting hits not a lot but 400 in Bitcoin a couple days well wait a second this goes back a long time oh and this is a list of blocked programs or ones that it'll just try and kill right out of the gate yeah so if any of these things are running what does it do blo list it kills him yeah it kills all the processes info Steeler getting just some random stuff with Powershell oh are these getting a p address of course IP address of course oh even the Google Maps location this is the code and functionality to be able to swap in in your clipboard whenever you copy and paste a crypto address to be able to send something to it it'll go ahead and replace it with the actual attackers addresses so that you don't realize that you're accidentally sending them money and not the person you thought you were sending it to here is the black cape initial Funk I'm gonna be assuming yep goes ahead and grabs API your web hook ping type everything that it's already retrieved out of the configuration files add some persistence mechanisms and usual startups hide the window and whoa here are a lot of uh synchronous functions to be able to try and steal and scratch grab some specific tokens tries to do some anti-vm protections hey if it's in a debugger then try to bail out steal the screen info torkings Minecraft Roblox interesting that it has some bypass token protector Discord token protector where it ends up just trying to remove the specific files that come with that tool and then manipulating the configuration file to be like hey this hacker was here or whatever oh same thing with better Discord nice holy cow look at that steel token function a whole lot of these where they're just grabbing the specific path for the application data and then adding in where it might be hosting a lot of those tokens local storage cash Etc browser history browser cache browser passwords goodness okay so here are the embeds that are going into the Discord web hook we end up taking the icons author names adding everything and exfil trading it to that computer name Windows key disk storage tokens it was able to steal and then it uploads the file for everything that it was able to put together there's a really interesting section here on the no debugging class uh and determining whether or not it is inside of a virtual machine or some sort of sandbox like it has different usernames listed with some random ones alongside a hate specific computer name values that could potentially be I don't know maybe an indicator that is a Sandbox or some strange way that hey you've got a denialist here do not run or detonate if you imagine these Hardware IDs the PC values even IP addresses kind of strange and of course hey some specific paths if they exist then it just doesn't end up firing it just hey turns itself off same thing with even registry keys look if you look like you are inside of a virtual machine given the disk enum values if it's a VMware or vbox then it just bails out this is a very very long file I don't want to bore you with all of it but there are pieces to it I guess ultimately we have found what this thing is but now I'm curious hey what could we do with that Discord web hook well there's not a whole lot more we can do with the web hook it's not like we could actually track down hey what server is it joined to or are we able to hook into any of the messages that are sent to it we can at least spam the web hook and try to send a whole load of data I know I'm using this online resource because I didn't build one on my own but I can see that it's working because I have spammed a web hook that I created and now I think I I can't do anything Discord is not letting me do anything if I try to delete everything it's not letting it happen I've even tried to delete the server uh but enter enter my auth code it still won't let me do it because I'm breaking Discord whoops all right so for the icon I'm gonna use the uh troll face Forum Wikipedia that fella there uh I do want to make sure that I am using the genuine actual adversaries web hook we'll just put the bot username as LOL skid Get Wrecked how about that um it's doing its thing it's just doing its thing real the best that it can I think all right so bear in mind there's no way to know whether or not that I actually got there that's no way to know it actually worked but it's a little bit of fun I don't know hopefully it breaks their Discord account just as much as it did mine all right well I'm going to report this thing and Report malware this user hosts Discord Steelers okay report there you go all done with that there's not a whole lot left to do we reverse the malware got to find the original Discord token stealer and we spammed the web hook and reported that original malware author Creator now that's not to say that is the operator for the web hook that we saw that could very well be different entities but all around hey probably bad stuff that shouldn't be out there with that I'm done rambling like comment subscribe I'll see in the next video
Info
Channel: John Hammond
Views: 222,253
Rating: undefined out of 5
Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners
Id: XZj87tKIlik
Channel Id: undefined
Length: 19min 4sec (1144 seconds)
Published: Tue Mar 07 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.