Roblox and Discord Become Virus Vectors for New PyPI Malware
If you can communicate on it, you can abuse it. This was proven again recently when a hacker using the name “scarycoder” uploaded a dozen malicious Python packages to PyPI, the popular Python code repository. These bits of code pretended to provide useful functions for Roblox gaming community developers, but all they really did was steal users’ information. So far, so typical. Where it got interesting is it used the Discord messaging app to download malicious executable files.
Snyk developer security researchers found the nasty Python code with their static analysis tools. These poisonous packages were built with PyInstaller. This bundled the malicious application and its dependencies into one package. purpose. PyInstaller served two purposes here. First, it tried to make it harder to detect by incorporating the malicious code in dependencies instead of downloading them from a remote server to the host. Second, this enabled them to provide naive developers with an executable file that didn’t require the safety belt interpreter.
Perfect Storm
Since, as Taylor Ellis, a Customer Threat Analyst for Horizon3ai, an Autonomous pentest startup, said, “Roblox is an online gaming platform where users go to play games or create their own gaming programs. It is highly popular among children, for according to their user base, 67% of Roblox users are under the age of 16.” And, since Roblox players frequently go on Discord to talk with strangers, you’ll have a perfect storm for users’ machines to get infected. These still wet behind the ears developers don’t realize that running an unknown executable is just asking to be hacked.
Ellis added, “Roblox and Discord need to do more to protect the majority of young users on their platforms.” And “Roblox does little to warn their users about the dangers of clicking on malicious links within their platform, which sometimes lead to a malevolent Discord server or external backwater website.”
Easy to Abuse
In the battle between ease of use and security, Roblox and Discord err on the side of making their systems too easy to abuse.
As for the attacks themselves, Snyk observes that the Windows malware targets data that is stored for everyday user applications. In particular, it goes after Google Chrome passwords, cookies, web history, search history, and bookmarks. It does this by trying to decrypt Chrome’s master key.
Discord Injector
Discord itself is also targeted. It exfiltrates Discord tokens and injects a persistent malicious agent along the way. Snyk’s researchers state, “This malicious code, known as Discord Injector, can relay an alarming amount of information to the attacker. Not only will it share your credentials, but it can also skim your credit card information if you input it after the injector is loaded.”
Isn’t this just what you always wanted?
In addition, the malware uses Discord resources to distribute executables. This isn’t the first rodeo for this technique. Indeed, it was finding cdn.discord.com, the Discord Content Distribution Network (CDN), in the code, which tipped off Snyk’s security researchers.
Using the Discord CDN server, masked the malware files as any old Windows executables, and eventually launched them. After they’re executed, the files are deleted to cover up the attack’s tracks.
The malicious files are history now, but it serves as a three-fold warning. PyPI, which is run by a small group of volunteers, doesn’t have the resources for strong security. And, while Roblox may appear to be a trivial development platform and Discord has only a 15% share of the gaming development market share, they can be used by ill-intended hackers all too easily.
