A popular trojan malware known as AnarchyGrabber has been updated into a new release that has the capability of not only stealing passwords from Discord users but also a whole slew of new threats. BleepingComputer first alerted us to the new release of AnarchyGrabber3 and how to detect if your Discord has been compromised

Not only can the updated version of AnarchyGrabber3 steal the user’s password, it can also disable the user’s two-factor authentication before attempting to spread the malware to those on the user’s friends list. The password itself is stolen in plain text form, so the attackers can easily see a user’s credentials before attempting to use the credentials to compromise accounts on other services. This only a part of why it’s important not to share the same password you use on other sites.

Discord Celebrates 250 Million Users (+120 Since May 2018) Four Years After Its Foundation

AnarchyGrabber3 is normally a silent plugin until the malicious script is activated. Once activated, it begins loading up other JavaScript files that first start by logging the user out of their Discord client and prompts them to log back in. Once the user does so, AnarchyGrabber3 will automatically attempt to disable two-factor authentication on the users account and then take advantage of Discord’s webhook services to send not only the user’s email address and login name to a compromised server but also the IP address, user token, and their password saved in plain text. It can also listen for remote commands and send messages from the compromised user to those on their friends list.

Commanding victim’s discord clients to spread malware [Source: BleepingComputer]

Once the Discord client has been modified, AnarchyGrabber3 doesn’t run again. This can make it difficult for antivirus software to detect the threat, as there are no active malicious processes to spot. By doing so, it can ensure that a victim would remain compromised and active as part of the botnet.

So, how can you check and see if your Discord client has been compromised with AnarchyGrabber3? Fortunately there’s an easy way to detect any modifications and it simply requires the use of Notepad. By navigating to %AppData%\Discord\[version]\modules\discord_desktop_core\index.js and opening it with Notepad, you can check and see if there have been any modifications to the file. A clean index.js file will only feature a single line of code as shown below: module.exports = require(‘./core.asar’);.

Currently, the only method to remove AnarchyGrabber3 is to simply uninstall and reinstall the Discord client, thus ensuring a fresh install of plugins and executable.