New TroubleGrabber Malware Steals Credentials and System Information

TroubleGrabber, the latest product in account theft, is distributed through Discord Attachments and uses Discord Web Hooks to transfer stolen data and information to its users.

Discord is a VoIP, instant messaging and distribution platform for creating communities that facilitate communication via voice calls, video calls, text messages, multimedia files and files in private and public chats.

TroubleGrabbers looks like AnarchyGrabber, another caterpillar Trojan, although it seems to work differently. TroubleGrabber was written by a man named Itroublve and is currently used by various threat actors to attack Discordance users.

ProblemGrabber malware Target

TroubleGrabber is mainly a drive-by download and steals web browser markers, Discord Web Hook markers, web browser passwords and system information. TroubleGrabber, based on filenames and delivery mechanism, is mainly intended for players.

TroubleGrabber was first discovered in October 2020, when more than 5,700 URLs of public discord attachments with malicious content were found, mostly in the form of executable files and Windows archives.

http://server.digimetriq.com/wp-content/uploads/2020/11/New-TroubleGrabber-Malware-Steals-Credentials-and-System-Information.jpg Fig. 1. Distribution of the top 5 malware detections delivered to a different location and containing the player’s URL (Ref Netskope)

Detection generally belongs to two groups of malware: GameHack and TroubleGrabber, of which the first group is Gen:Variant.Mikey.115607 and Trojan.GenericKD.43979330.

Assault sequence

http://server.digimetriq.com/wp-content/uploads/2020/11/1605628154_923_New-TroubleGrabber-Malware-Steals-Credentials-and-System-Information.jpg Kill chain indicator TroubleGrabber attack

  • The TroubleGrabber is delivered via a link to the victim’s car to link a disagreement.
  • TruoubleGrabber then uses dissension and github to load the next step on the sacrificial machine.
  • The payload steals the victim’s access data, such as system information, IP address, passwords and web browser tokens, and sends them back to the attacker as a chat message via the webhook URL.

TroubleGrabber shares similarities with several families of password and token theft, such as AnarchyGrabber, a malware that steals passwords and user tokens, disables two-factor authentication, and spreads malware to the victim’s disagreement server. Nevertheless, this is a completely new implementation and does not seem to be linked to the same group.

Follow-up

TroubleGrabber is the latest example of malware that abuses cloud applications throughout the kill chain.

Here you see the 4 most common TroubleGrabber machines

  1. Using Cloud Applications for the First Deployment
  2. Use cloud applications to deliver a load in the next step.
  3. Use of cloud applications for command and control
  4. Stealing identifiers from cloud applications

TroubleGrabber, new in the block, is another account that steals malware that exploits user confidence in cloud applications. Is this kid growing up or is he running away? Time will tell.

You can follow us on Linkedin, Twitter, Facebook to get daily news about cyber security and hackers.

Also read

RATicate – a group of hackers launches a program to steal information using the remote management program.

FinSpy malware attacking iOS and Android devices to steal personal information

veritas acquired by carlyle,veritas technologies revenue 2019,veritas technologies linkedin,carlyle group crunchbase,globanet,veritas stock price,endpoint security,sophos

You May Also Like