How do I destroyed malware and identify the author — Malware Analysis
Introduction:
Hello Hackers, I’m MrEmpy and welcome. Today I will tell a story of how I found the author of malware. I already advance that the identification of the author was very fast, you will understand throughout my report.
As I was browsing Youtube, I found a video about a Discord token fuc***, the video was less than 5 minutes with background music with no explanation and the screen flickering. Upon identifying them, I imagined that it was phishing, it was obvious that it was not real. So I downloaded the executable file and started my analysis to find the author.
Parsing the executable:
As the executable was related to a Discord token fuc***, I figured the program had been created in Python, since it’s a language that most programmers today are using (it should be used for automations). Then I used the pyinstxtractor tool to unpack the executable.
When I saw that the unzipping was complete I couldn’t believe the author had compiled a Python script into an executable file. One of the biggest stupidities I’ve ever seen is to create malware in python and compile it to executables, for the simple reason that Python is a scripting language, that is, it was created for the automation area, you will never see a company create one paid software in Python.
After extracting, I started reading the strings from the TokenFuc***.pyc file. In the first lines I already found suspect strings like:
The main information he stole was:
- IP Address
- PC Name
- Phone number
- Nitro (if you had it)
If he extracted this information, he would have to send it somewhere, so in one of the lines I found a webhook. Format:
https://discord.com/api/webhooks/9008180XXXXXXXXXXX/qpI-vn7K9nawXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I searched for this webhook in my browser and found information like webhook name (which was Spider Bot), channel ID, server ID, token. In the URL format after “/api/webhooks/”, it has an ID like 9008180XXXXXXXXXXX, this is the server ID. I knew that this malware had been created (or plagiarized) by a Brazilian, most Brazilian Discord servers use the bot called Loritta, which is similar to the Dyno bot that is used on other non-Brazilian servers. The Loritta bot has a functionality that allows you to see information from a server, you just need the server ID, and that’s what I had on hand. I went to one of my servers and used the command to fetch information from this server.
The Loritta bot was added to the server where it hosted the victims’ information. The bot returned information from the server like:
- Server name: GRABBER
- Owner: XXXXXXXX#1920
- Text channels: 3
- Voice channels: 1
- Members: 3 (My hypothesis is that it could be 1 staff and 2 bots, or 2 accounts of the same person and 1 bot)
- Creation date: 10/21/2021
- Region: Brazil
I managed to get his nickname, I searched and found his channel.
His channel had over 2,000 subscribers and a few videos.
Remember that webhook I found in the executable? Did you know that it is possible to delete it? That’s what I did, with a simple request made with the cURL tool I was able to delete the webhook.
curl -X DELETE ‘https://discord.com/api/webhooks/9008180XXXXXXXXXXX/qpI-vn7K9nawXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’
Result:
So I ended up with the malware. The information was extracted but there was no communication with the attacker’s server to deliver the information. He’d have to remake the malware and recompile it to try and steal someone’s information, but I was on his tail and every day I compared URLs to see if he’d uploaded a new executable.
Conclusion:
After a few months passed, his account was banned from Discord, I’m not sure if it was banned or he deleted it, but I believe more in the probability of being banned, since after a search based on his nickname, I found illegal things that he did more than steal information through malware in Python.
Some lessons we learned from this story are:
- Do not create malware in Python
- Never use Discord webhook
- Never add the Loritta bot
I confess that I laughed while writing this story. 🤣