Analyzing the Source Code of Popular Desktop Apps for NodeJS Malware. Part2

In my last article (see here), we discovered a NodeJS malware that steals the Discord credentials from the client by patching the sources of the Electron client.

Since then, a lot of things have happened. The author deleted the repository, and he apologized for the harm he caused.

Electron

Electron is a framework that lets developers build desktop applications using Web technologies like HTML, Javascript, and CSS.

This framework is prevalent and widely used by many typical applications like VSCode, Whatsapp, or Discord.

As the application code is in Javascript, the sources are still there but hidden in plain sight. So what protects us from a malicious user editing the archive containing the sources and tampering it with malware? Well, on Electron level, practically nothing. On the OS level, you could use code signing or installing the application in a secure place:

• On Windows, a program in C:\Program Files\ can only be edited by the application itself, but, by default, there are installed in %APPDATA% instead, where there is no such protection.
• On Mac, apps are usually signed, and this signature is verified during the installation. But after that, nothing is checked anymore.
• On Linux, there is no such default protection mechanism.

Electron Malware Injection: PirateStealer

Let's start our journey into Electron injections by looking at how the PirateStealer’s injector works.

It first tries to find your Discord installation in your %APPDATA% directory and then locates all the running processes. Then it downloads the infection payload from a Github repository, stops your Discord, injects the payload, and restarts your Discord client. Let's focus on the payload injection. The payload injection is done by modifying the main Discord Desktop file that you can find in your %LOCALAPPDATA%\Discord\app-<version>\modules\discord_desktop_core-2\discord_desktop_core directory. The index.js file should normally look like this:

module.exports = require('./core.asar');

After the injection, it will look like this:

const fs=require("fs"),path=require("path"),{BrowserWindow:BrowserWindow,session:session}=require("electron"),querystring=require("querystring"),os=require("os");var webhook="https://discord.com/api/.....

As you can see, the malware has modified the source code of Discord to get its code running inside Discord.

It is now time to look at this injected payload.

PirateStealer Payload

I won’t publish the complete code of the payload as the original Github repository got banned, but we can still highlight some clever mechanisms.

First, we can look at how PirateStealer grabs the token from the Discord client. To prepare the code for distribution, the Discord team bundles its code with Webpack. This tool allows bundling many resources into bigger chunks to facilitate the installation procedure.

Webpack also exposes a way for developers to add their own code at runtime.

This feature comes from this Webpack JSONP Loader. As one can see in the highlighted code, this line allows the developer to access the entire Webpack runtime. From there, we have access to all the functions in Discord. From there, we can list every function and search for the getToken function. [rant: on] Yep, that’s it, the most security-critical function of Discord is in plain sight of everyone. If Discord renamed that function to any other name, it would break every currently existing token grabber. [rant: off]

With this token, PirateStealers runs several calls to the internal Discord API:

• It first checks the profile for unique badges like Verified Developer, Early Supporter…
• It then lists the payment sources (it doesn’t expose your credit card, but it does expose your postal address!)
• Then it lists your friends with rare badges for future targeting.
• Finally, it resets your MFA if it grabbed your password earlier (more on that below).

We saw what the malware could do with a simple token. This is quite powerful, in my opinion…

But that’s not all the malware does. It also watches your activity in the application:

• It detects when a user logs in, changes its password, or changes its email address (that means it can steal your password and email address). This leaks your existing password and allows the hacker to log in and change any information on the account.
• It detects when a user adds a credit card and leaks all the information about the card (including CVC!)

Recommendations

From what we saw all along with the article, I would recommend to:

• Don’t use your actual address in your payment methods on Discord.
• Don’t use credit cards if you want to add a payment method; use Paypal instead, which doesn’t leak any critical information.

Thank you for reading this article. If you have any suggestions or comments, you can address them preferably on Discord (https://discord.gg/FKuAky4K8M).

If you enjoyed this article, please consider leaving a reaction. This kind of article takes a long time to prepare (almost a week alongside my day job), so if you want to support me, you can do it on Buy me a coffee.

First published here