TroubleGrabber Malware Description
The number of malware threats exploiting the Discord social platform and voice chat application is growing steadily, with one of them being the Trouble Grabber Malware. The Trouble Grabber Malware was first detected by researchers who monitored public Discord attachment URLs for unsafe content. TroubleGrabber abuses Discord in a number of ways, both as a delivery and a Command-and-Control (C2, C&C) communication platform. Another legitimate service - GitHub, is used as a repository for second-stage payloads delivered by the threat.
The attack chain of the TroubleGrabber Malware begins with the delivery of the threat to the targeted computer through a Discord attachment link. The link leads to an archive containing an executable file. Both masquerade as a legitimate application named Discord Nitro Generator. When the 'Discord Nitro Generator and Checker.exe' get executed, it proceeds to drop five additional payloads on the compromised device - Curl.exe, WebBrowserPassView.exe, Tokenstealer.vbs, Tokenstealer.bat and Sendhookfile.exe. All of the second-stage payloads are taken from a GitHub repository and downloaded to the C:\temp location.
Tokenstealer.bat is the main coordinator for the harmful activities of the threat. It is responsible for executing some of the additional payloads. WebBrowserPassView.exe harvests the passwords saved in all of the victim's Web browsers and then stores them in 'C:/temp/Passwords.txt. It uses Curl.exe to exfiltrate certain data to the attacker's Discord server such as username, IP address, SystemInfo, time and data, as well as tokens belonging to Discord, PTB and Canary. Tokenstealer.bat also takes care of the cleanup process designed to minimize the traces left by TroubleGrabber's activities by deleting the 'ip_address.txt,' 'WindowsInfo.txt,' 'Passwords.txt,' 'curl-ca-bundle.crt,' 'curl.exe' and 'CustomEXE.exe' files. As a final step, it restarts the compromised computer.
The GitHub repository used by TroubleGrabber belongs to a user named 'Ithoublve,' who appears to be the threat's original developer. Apart from the second-stage payloads, the repository also had an executable named 'ItroublveTSC.exe,' which is a generator for the malware and its components. Anyone with access to the generator can tweak the malware threat according to their preferences by supplying it with their own Discord webhooks, entering a fake message, choosing a custom icon, and adjusting what additional functionalities they want to include - 'Crash PC,' 'Auto Remove EXE,' 'Restart Discord,' 'Restart PC,' 'ShutdownPC' and 'Custom EXE.'