A new malware called NitroHack has been developed for the Discord online gaming community service. It is distributed using the application’s internal messaging system and many users are believed to be affected.
Discord Virus Called The NitroHack Malware Delivered Via DMs
An unknown hacking group is actively spreading a virus designed for Discord called the NitroHack malware. There is no information available about the identity of the hackers however it is presumed that they are experienced in order to have created it. This is the first attack campaign carrying this particular threat which indicates that depending on the success of the ongoing intrusions a second wave might be planned.
The Discord virus is spread using a large-scale campaign that includes the virus-infected files and markets them as a Discord hack — it is advertised as allowing the users to et premium services for free. There are different infection methods that can be used to NitroHack malware:
- Phishing Strategies — The executable files and all virus-related data can be advertised using counterfeit pages that impersonates well-known companies and services. By interacting with them the virus can be downloaded or linked.
- Payload Carriers — The virus code can be embedded in different kind of individual files. This can include macro-infected documents that can be of all popular formats and also application installers. They can be spread using the aforementioned phishing strategies or uploaded to file-sharing networks of which BitTorrent is the most popular example. As the malware is themed to Discord the carrier files can be made to appear as Discord updates, plugins, themes and other related data.
- Other Malware Deployment — NitroHack malware can be installed by other malware which have previously infected the system. Popular examples are browser hijackers or file encrypting ransomware.
The targeted users will receive messages from hacker-controlled pages or already compromised users. They can contain attached files or links that lead to the virus files directly or landing pages. In other cases the users can be tricked into opening redirect links — they are usually hosted on shortened URL services in order to hide the endpoint address.
The NitroHack Malware Include Sophisticated Functionality
When these changes have been implemented a persistent infection will be initialized. This means that the malware code will be automatically started when the computer is powered on. It some cases it can also modify the settings of system services and user-installed applications and prevent them from running. Other system modifications can include the restrictions when accessing the recovery options. This can make it very difficult to follow most manual removal methods.
One of the key capabilities of the NitroHack Malware appears to be related to the ability to hijack sensitive information. In the case of this particular threat this includes the capability to steal information from the web browsers, examples are Chrome, Discord, Opera, Brave, Yandex Browser, Vivaldi, and Chromium. The information will be scanned for any Discord tokens which might be stored in them. When sensitive information has been detected it will be automatically posted to a hacker-operated Discord channel.
Another dangerous function which has been found in the current versions of the malware is the stealing of financial data. This is done by listing payment card information and attempting to create a website overlay that will open a payment form which will fool the users into entering in sensitive data.
In the end the virus will hijack the friends list of the Discord victims and send messages containing the virus, once again pretending to be a Discord hack. Using this worm-like propagation the NitroHack malware was able to quickly amass a large-scale group of infected computers.
Computer users that believe that they are infected by the virus can check their Discord installations by opening the file %AppData%\\Discord\0.0.306\modules\discord_voice\index.js and check if there are modifications. A non-modified version of the file will end with the following line:
module.exports = VoiceEngine;