Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Hackers Target Discord Users with RedTiger Infostealer to Hijack Accounts
Advertisements

Cybersecurity researchers have identified an active campaign where hackers are deploying a new information-stealing malware to compromise Discord accounts. The malware, based on the open-source RedTiger token logger, is designed to exfiltrate user data, including authentication tokens, to facilitate account takeovers.

The campaign was first detailed by analysts at the AhnLab Security Emergency Response Center (ASEC). The threat actors use social engineering tactics to lure victims into their trap, leveraging the popularity of Discord’s premium Nitro subscription.

Distribution and Infection Method

The primary distribution vector for this RedTiger-based malware is a fraudulent website that impersonates an official Discord page. Users are tricked into visiting the site under the pretense of receiving a free Discord Nitro subscription. The deceptive site prompts them to download a malicious ZIP archive, typically named “Discord-Nitro-Generator-and-Checker.zip”.

Inside the archive is an executable file that, once run, initiates the infection process. The malware immediately copies itself to the system’s %AppData% directory and establishes persistence by creating a scheduled task. This ensures the malware runs automatically even after a system reboot, maintaining its presence on the compromised machine.

Data Theft and Account Hijacking

Once active, the infostealer scans the system for data stored by web browsers, including Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave, as well as Firefox. Its primary target is Discord application data. The malware specifically extracts authentication tokens, which are used by the platform to keep users logged in.

After gathering the tokens and other system information like IP address and user details, the malware sends the stolen data to the attackers’ command and control server using a Discord webhook. The threat actors then use these tokens to gain full access to the victim’s account. Furthermore, the malware modifies the Discord client’s core files, ensuring that even if a user changes their password, the new token is captured and exfiltrated, allowing the attackers to maintain control.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading