As we've navigated our post-hack plan the last few days, a lot of people (including myself) were surprised to hear that Xin's 2FA account protection didn't do anything to stop a phishing attack.
If you're one of those people, I figured I'd share a Reddit post by u/tropix126 that explains what happened in simple terms. You can find it here or just read on.
TL;DR: A hacker doesn't need your login if they have your auth token, and phishing links inject you with software that steals the token. So keep 2FA on, never give out your token, and treat any link from any stranger as a red flag.
So. Recently, there have been several concerns over a new account-credential stealing bit of software identified as "AnarchyGrabber". This isn't actually the first token logger software, but it's by far the most accessable easiest to deploy, making it gain some traction recently. So, what can you do to avoid getting infected?
First off, I want to explain what the token essentially is. If you are familliar with OAuth and/or discord's internal structures, you can skip this bit. Essentially, the token is a string of letters and numbers unique to your account. This token is used internally by the client for login requests. With this, you can instantly log into an account with the correct token. A common misconception is that the token is the same as the password, which is false, although changing your password will regenerate the token. Mainly this is used for bot accounts and development, however this system is also utilized by normal accounts.
Now a quick look at the malware. Anarchy is usually spread through a single executable file. This makes it relatively easy to spread in many ways. It may be bundled with software, or be used in some of those "free nitro" scams. Once the victim successfully runs the file, anarchy will first kill the discord client process. Then, it injects itself into the following directory.
Essentially, the malware will inject itself in a similar fashion to client mods. The "4n4chy" folder holds the necessary files for the program to run. It also injects itself into the index file. The index file essentially contains instructions for which files and code snippets to run on discord startup. A normal non-infected index file will look like this.
module.exports = require('./core.asar');
If you have a client mod installed, this will most likely be different. Either way, this isn't a place to discuss those things. Essentially, the victim will then re-launch discord and be greeted with the login screen. This is a real login screen, however now that the malicious code is running, you are no longer protected. Once the credentials are entered, the user will login as normal, however the now unprotected token is logged by anarchy, and sent to a specified server. Congrats, your account is now compromised. This specific logger will also attempt to bypass and disable 2FA.
How can I avoid this?
Firstly, and one of the important aspects to avoiding this, is not clicking suspicious links. Since the program is a single file, this means its entirely versatile and thus can be spread in many different ways. The most common way is DM scams. I myself have been sent DM's of people claiming to have a "Free Nitro Generator". They attached an executable. I had a friend of mine decompile the file, and sure enough. It was anarchy. One weakness of anarchy, is that it doesn't have a digital signature. This means that Windows SmartScreen should filter it out and show that it's unverified software. Keep in mind this can affect Mac as well, since discord still runs on the same framework (electron). TLDR: Don't click on suspicious links.
I think i've been infected!
First thing. Check for the malware. Go to C:\Users\Tropical\AppData\Roaming\Discord\0.0.306\modules\discord_desktop_core\. Check for a "4n4chy" folder, or anything besides the default 3 files. (core.asar, index.js, package.json). If there are any suspicious files, immediately uninstall discord. Then, delete the entire \discord folder from your appdata. DO NOT LOG IN. Assuming you have found the folder, you want to log into the web or mobile client, and change your password. This will regenerate your token, invalidating the old one. From there, you want to run a malwarebytes scan, just to be safe. Finally, reinstall discord. You should be fine from there. Check again for the 4n4rchy folder. If it's back, you have a bigger problem. This means a seperate program is injecting anarchy. Consider finding the program or reinstalling your OS. If you were sent the file from a DM, report the user to Trust and Safety here.
No. It wont affect mobile. Discord desktop is built on Electron, which is essentially a glorified chrome window (also why it runs so horribly). Mobile runs on an entirely different framework, and thus isn't vulnerable.