The cybersecurity firm identifies four malicious packages to steal sensitive information from programmers who are on Discord. Hackers steal credit card data and monitor personal accounts. The malware campaign was created for Brazilian users.
Cybersecurity giant Kaspersky has warned about the theft of credit card information by Discord, a communication platform widely used by the crypto community to discuss projects, foster ideas, and build new links for the entire chain.
The company’s researchers identified four open-source malicious packages to steal sensitive information from developers on Discord.
How the Malware Campaign Works
Kaspersky analysts have discovered a new malicious campaign in Brazil called LofyLife, which uses four open source packages to spread Volt Stealer and Lofy Stealer malware within Discord. Trojans want to steal user credentials and credit card information used in the app.
Experts found four Trojan packages in the repository containing malicious scripts with the keyword “Brazil”, an indication that the campaign is targeting Brazilian users.
Once installed on the targeted victims’ machines, the malicious repositories look like development packages used for common Discord tasks, such as text editing or certain game features. However, they contain complex corrupted JavaScript and Python codes, as well as Trojans that go by the names of Lofy Stealer and Volt Stealer, respectively.
Volt Stealer is a known malware used to steal Discord tokens on infected machines, along with the victim’s IP address, which are sent over HTTP to the cybercriminal. New to the campaign is Lofy Stealer, a new malicious code capable of infecting Discord users’ files and monitoring the victim’s actions within their account.
After being infected by Lofy Stealer, everything a user does on their account is tracked from email or password changes, security settings like multi-factor authentication (MFA), and even adding new payment methods such as new credit cards. The collected information is also sent to the remote endpoint controlled by the criminals.
Threat to Community of Developers
The campaign is yet another example of a growing threat to the developer community, who may unknowingly download malware while using open source programming packages within Discord.
“Heavily obfuscated malicious packages using Javascript and Python are pushed to the NPM repository for potential typo attacks (mistyping a URL in the browser). Publicly available information suggests that the packages are primarily targeted at Discord users with a focus on Brazil,” explains Fabio Assolini, Director of Kaspersky’s Global Research and Analysis Team for Latin America.
Considering what has been stated above, among the most common tips, experts on the subject point out that it is always important to check the links before clicking. Email addresses and web pages that seem trustworthy are often addressed with barely noticeable changes. It is worth, then, reading many times before clicking, and, as always, doing your own research before making decisions.
By Audy Castaneda
