# Hazard Token Grabber **blog.cyble.com/2022/06/01/hazard-token-grabber/** ## Upgraded version of Stealer Targeting Discord Users June 1, 2022 Cyble Research Labs has come across a new strain of malware performing stealing activities named Hazard Token Grabber. The initial version of Hazard Token Grabber was spotted in the wild in 2021, and we have observed an upgraded version now, which Threat Actors (TAs) are using to steal the user’s data. Both versions are available on GitHub for free. During our OSINT threat hunting exercise, we came across over 2000 Samples related to this stealer present in the wild. Most of the samples seen in the wild are the actual Python source code of the malware used for compiling the binary, indicating that the malware has been used on a large scale. Interestingly few of the samples had either low or even zero detection. As per the statement made by the Threat Actor (TA), it appears that an upgraded version of Hazard Stealer can be accessed by purchasing it on their Discord server or website. This indicates that the malware present on GitHub might not be that evasive, and the TA has only uploaded it there for advertisement purposes. Figure 1 shows the statement made by the Threat Actor. ----- Figure 1 – Statement made by TA The number of samples related to Hazard stealer has increased significantly in the last three months, as shown below. Figure 2 – Stats of the sample submission in VirusTotal The figure below shows the file details of one of the recent samples we analyzed. ----- Figure 3 – File Details ## Technical Analysis ### Builder: Hazard Token Grabber is developed using Python, and the builder of this stealer supports Python version 3.10. The builder is a simple batch file that helps generate the payload and convert malicious Python script to a .exe file using Pyinstaller. Figure 4 – Hazard builder ----- ### Payload: The malware exfiltrates the data to a Discord channel using webhooks which can be modified through the configuration settings. The malware configuration also contains Flag variables and a list of programs to terminate during execution, as shown below. Figure 5 – File Configuration The malware copies itself into the startup location to establish persistence and creates a random directory in the %temp% to store the stolen data. Figure 6 – Creating a folder in the Temp directory Upon execution, the stealer checks the configuration settings and creates a list to append the function names whose flag is set to TRUE. After this, the malware creates a thread for each function present in the list to execute the malicious code parallelly. ----- Figure 7 – Multithreading ### Anti-debug: The malware performs various checks to prevent debugging and terminates itself if malware is being debugged. The malware has a list of a few hardcoded values such as hardware ID, PC names, and usernames to exclude them from infection. The figure below shows the hardcoded lists Figure 8 – Anti-debug check The malware also checks for the disk size of the victim’s system. If it’s below 50GB, it terminates itself. It then reads the following registry keys for identifying the Virtual environment. _SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum_ _HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-_ _08002BE10318}\\0000\\DriverDesc 2> nul”)_ _HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-_ _08002BE10318}\\0000\\ProviderName 2> nul”)_ ----- Figure 9 – Query registry ### Data Harvesting: The malware then proceeds to scan for the presence of a Discord token protector, something that protects Discord tokens from malicious grabbers. To evade this, the malware checks for the presence of certain files such as DiscordTokenProtector.exe, ProtectionPayload.dll, and secure.dat. If these filesare present in the DiscordTokenProtector directory, the malware removes them. After this, the malware also modifies the config.json file present in the DiscordTokenProtector directory to bypass the token protector. Figure 10 – Bypassing DiscordTokenProtector The Hazard token grabber then bypasses the BetterDiscord by replacing the string ‘api/webhooks’ with ‘RdimoTheGoat,’ as shown below. ----- Figure 11 – Bypassing BetterDiscord Using the subprocess module, the malware spawns PowerShell for fetching the Windows activation key and product name by querying registry keys shown in the figure below. The malware then steals this data for exfiltration. Figure 12 – Spawning PowerShell This malware targets over 20 applications with the express purpose of stealing Discord tokens which include: Discord, DiscordCanary, Lightcord, DiscordPTB, Opera, OperaGX, Amigo, Torch, Kometa, Orbitum, CentBrowser, 7Star, Sputnik, Vivaldi, ChromeSxS, Chrome, EpicPrivacyBrowser, Microsoft Edge, Uran, Yandex, Brave, Iridium and Mozilla Firefox. This grabber steals cookies and login credentials from the chrome browser only. The stolen credentials contain Domain, Username, and Password. The stolen data is saved in a text file which will be copied to the random folder created initially. ----- Figure 13 – Stealing data from Chrome browser The malware uses the API _[hxxps[:]//discord.com/api/v9/users/@me and appends a Discord](http://10.10.0.46/mailto:hxxps%5B:%5D//discord.com/api/v9/users/@me)_ authorization token to identify Account information, such as email, mobile, and billing-related details. It also identifies the badge associated with the Discord account and writes all the harvested information into “Discord Info.txt”, as depicted below. ----- Figure 14 – Harvesting data using discord developer’s API The Hazard token grabber reads the following registry key: _SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY_ to steal the Roblox studio cookie and writes the stolen data to the “Roblox Cookies.txt” file. Figure 15 – Stealing Roblox Studio Cookies ### Data Exfiltration: Hazard token grabber sends a request to hxxps[:]//ipinfo[.]io/json to identify the victim’s IP and Location. It also finds the victim’s Google Maps Location. The malware does not write this data to a file but instead sends this as a message on Discord. Finally, the malware compresses the stolen data and exfiltrates it using webhooks specified by the TA. ----- Figure 16 – Data Exfiltration ## Conclusion In the course of our analysis, we witnessed some samples of Hazard Token Grabber, which were fully undetectable. As the stealer is also available on GitHub, it’s possible that other TAs can also utilize its source code to create a variant of this stealer. Hazard stealer has the capability to steal data from multiple applications; however, considering its specific functionality, the primary target appears to be Discord users. ## Our Recommendations: Avoid downloading applications from unknown sources. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. Use strong passwords and enforce multi-factor authentication wherever possible. Update your passwords periodically. Refrain from opening untrusted links and email attachments without first verifying their authenticity. Block URLs that could be used to spread the malware, e.g., Torrent/Warez. Monitor the beacon on the network level to block data exfiltration by malware or TAs. Enable Data Loss Prevention (DLP) Solution on the employees’ systems. ## MITRE ATT&CK® Techniques **Tactic** **Technique** **ID** **Technique Name** **Execution** [T1204](https://attack.mitre.org/techniques/T1204/) User Execution ----- **Defense Evasion** [T1497.001](https://attack.mitre.org/techniques/T1497/001/) Virtualization/Sandbox Evasion: System Checks **Persistence** [T1547.001](https://attack.mitre.org/techniques/T1547/001/) Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder **Credential Access** [T1555](https://attack.mitre.org/techniques/T1555/) [T1539](https://attack.mitre.org/techniques/T1539/) [T1528](https://attack.mitre.org/techniques/T1528/) Credentials from Password Stores Steal Web Session Cookie Steal Application Access Token **Collection** [T1113](https://attack.mitre.org/techniques/T1113/) Screen Capture **Discovery** [T1087](https://attack.mitre.org/techniques/T1087/) [T1518](https://attack.mitre.org/techniques/T1518/) [T1057](https://attack.mitre.org/techniques/T1057/) [T1124](https://attack.mitre.org/techniques/T1124/) [T1007](https://attack.mitre.org/techniques/T1007/) [T1614](https://attack.mitre.org/techniques/T1614/) Account Discovery Software Discovery Process Discovery System Time Discovery System Service Discovery System Location Discovery **Command and** **Control** [T1071](https://attack.mitre.org/techniques/T1071/) Application Layer Protocol **Exfiltration** [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over C2 Channel ## Indicators of Compromise (IoCs): **Indicators** **Indicator** **type** **Description** **Payload** **Payload** **Payload** 2e434a36c1c3df178e3d19a66e871144 d079bcd90c03088e9c5e77084f8e4c385557db6b 2441f2df1789cfc48a170a7927d73b98d8676a65eb81f3b068e4c76c3b85e77a 7fdc0515d98ff7d113ce68cccf29ae12 3f4966ec6ecc8973702f32e51eb766dda737f2d0 4ac15d15ff16919a08770265c074e8e89b21c9b61ce6348072aa719e80b5ed06 c2ea16d8bfec78e1b2bf4322df0f63bd 083f1d520e8524d778e1c52b4cbdd5986ca6365c 6925d86fdedff2065c33df7806ba231d0d1c8f2d5246f1cad343f37fee54fe29 **MD5** **SHA1** **SHA256** **MD5** **SHA1** **SHA256** **MD5** **SHA1** **SHA256** -----