CursedGrabber Malware

The number of malware threats exploiting the legitimate Discord platform appears to be proliferating. The latest threat of this type to be detected by infosec researchers is called 'xpc.js' and belongs to the CursedGrabber Malware family. This piece of malware was released by the same hacker responsible for previously discovered malware such as discord.dll, discord.application, wsbd.js and ac-addon.

 Despite its name, 'xpc.js' is not a JavaScript file but a corrupted npm component that targets Windows hosts. It is delivered as an archive named 'tar.gz' that contains two EXE files - The 'lib.exe' and 'lib2.exe,' which are executed via 'postinstall' scripts from the manifest file. 'Lib.exe' is an infostealer malware that harvests various data types from compromised systems and sends it back to the attackers through Discord webhooks. The gathered information includes user profiles from several browsers, Discord tokens, Discord leveldb files, etc. The threat even attempts to obtain certain payment details and billing information. 

 The 'lib2.exe' file is a dropper that delivers a corrupted ZIP file. The name of the downloaded archive and the location it is placed into are determined through a hardcoded webhook. The ZIP archive contains 34 DLL and two exe files. The executables are named 'osloader.exe' and 'winresume.exe' and initiated by 'lib2.exe' itself. This post-infection malware possesses significant RAT (Remote Access Trojan) capabilities. It can escalate its privileges, take screenshots, perform keylogging activities, access connected webcams, etc.

Furthermore, it establishes a backdoor with a REST API running on port 20202 on the compromised machine, ensuring easy access to the Command-and-Control infrastructure. The 'winresume' binary is a tampered version of the legitimate 'winresume.exe' application that facilitates the resuming of Windows computers that have been in hibernation mode for prolonged periods. The goal is to hide corrupted code into legitimate binaries making the detection of threats that much harder. 

 Another family of the Discord malware is TroubleGrabber, which, unlike CursedGrabber, abuses two legitimate services - Discord and GitHub, as part of its threatening operations.