Unraveling Discord Token Stealer (python MALWARE)
Вставка
- Опубліковано 6 бер 2023
- j-h.io/snyk || Use Snyk to scan for vulnerabilities and weaknesses your application FOR FREE ➡ j-h.io/snyk
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🐱👤SEKTOR7 ➡ Malware Development, AV Evasion j-h.io/sektor7
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering j-h.io/zero2auto
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training j-h.io/escalate
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
Credit to Exyl for his discord logo from his song "ping!", which was used in the thumbnail! / @exyl_sounds
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
It's always funny to me when they say it's for "educational" purposes when it's clearly malicious
@Michael DiGregorio really he is so stpid don't 😭
Hey i really made it for educationnal in the beggining
By your logic powershell and python as a language are malicious and shouldnt exist because they have the potential to be abused by its users. 🤦
@@User-kq3od by your logic operating systems like windows, macos, or linux shouldn’t be used because they could be used maliciously. your rational falls apart
@@majoryoshi that's not their point at all
Blackhats: " For educational purposes only"
Crypto traders/ scammers: "This is not financial advice "
Police interrogators: "You have the right to remain silent"
Hey, at least the right to remain silent is something that they're legally forced to give you and need to inform the jury to not hold your silence against you (as well as judgements found to violate that clause getting thrown out entirely)
@@xana3961 I just love the fact that they say that and then keep you for hours and still keep asking you questions.
@@xana3961 yeah but the crypto bros and blackhats won't shut off their body cams before handcuffing me and breaking both of my kneecaps
When he was trying to spam the web hook be found with the spammer, you can actually tell if it's working or not by looking at the status colulm. He kept getting 429 response codes, which means that he sent too many request to the discord API. Doesn't look like he was ever able to spam the viral webhook because he already spammed one of his own and discords API rate limited him. Waiting 3-10 minutes will resolve that.
You could have sent a DELETE request on that web hook URL, then the web hook would have been deleted and any other instances of the malware will not be able to send data to the attackers.
I tried, but somebody already deleted it lol
🧠
but first spam the webhook URL with "your webhook got thanos snapped" and GIFs of thanos doing fortnite dances
@@GateKeeper_Systems I saw ntts do that.
@@rodricbr same lol
Good GOD your sponsor break "Hang on!" frightened the life out of me 😂 I was too invested!
I read your comment and thought "It can't be that bad, can it?"
**a few moments later**
John: "Hang on!"
Me: **flinching** "Oh, it IS that bad!"
Same loool
I just want to say that I really appreciate that you have been putting the sponsors in the second half of the video. I don't properly know how to express it besides making the video more comfortable to watch but it has been great! Thank you, keep up the great work!
Synk (the sponsor of this video) has clearly stated in their ToS that they will store any project you'll send them indefinitely and they will not delete it if and when you decide to delete the project on Synk itself.
Other than that they also require their customers to have their back no matter what. Just read this piece of text from their ToS:
"You will defend, indemnify and hold harmless Snyk against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with your use of the Services, the Platform, Service Data and/or Documentation other than in accordance with this Agreement."
For me this is very severe and holds me from using the software at all. And it's a pity cause I think it could have been a good one.
You'd write that clause too if you were handling people's private repo data and wanted to be absolved from being sued by sue-happy corporate crooks. Not saying you should feel comfortable. I'm saying, there's a real-world reason for writing such language.
Source: Have worked with data recovery and security companies. Many of them have similar language to this.
@@Zancb Sure there are reason for writing that. One of the reasons being you protect the company from ANY kind of lawsuit. If you one day discover that your private repo is being used by some corporation who's paid Synk big money to grab data from their servers, you could do literally nothing. If they decide to charge your subscription more than it was advertised without any notice whatsoever, you are required to just shut up and take it.
There are several examples that might be even worse, but you surely get why I don't think it's a service anyone should ever use at all.
I am not even sure that the paragraph is legally worth anything since imho it might make them avoid accountability for virtually anything a customer might experience on their platform. I do think that is not lawful and they can't just write in their ToS anything they want, the ToS has to respect laws too.
But I am a developer, not a lawyer and I might have misunderstood when that paragraph might be used. Maybe it does not mean what I do think it means, I am not completely sure.
If anyone here has a legal background and is willing to elaborate on that you are more than welcome to do so.
i think you would be hard pressed to find any tos that lacks that verbiage
They legally cannot enforce any of that. It's there so that they aren't held liable if you use their software for illegal purposes (a catch-all, if you will). Plenty of software companies do this.
That is going to be in any TOS, its a cover your ass statement, all that second part means is effectively "If you're really shit at writing code, and our software doesn't catch every single last exploit, so it still gets exploited, that's not on us, and you can't say it is, you can't just rely on software to do your job" Any reputable company will have a clause like that if they are doing something similar to snyk, trying to protect you, I'd imagine nearly every last anti-virus would have a similar one too
This is the first video of yours that i've watched. I gotta say, i dont understand a bit of what your saying but i can appreciate what your doing to help people. Subscribed.
As always, love watching how you work. Great content John. Nice breakdown and explanations.
As an old guy who did old computer things, I just love your videos and really enjoy them. Thank you for making these.
I love your videos, it’s just a nice feeling when I’m eating a snack watching you dissemble viruses.
It's always a good morning when John Hammond uploads a new video!
Please more of the videos where you investigate and take apart suspicious things. i just love them
Yes @Jhon Hannond
YESS @Jhon Hammond
Watching your videos has made me do a complete 180 on my life. Learning Python (Still very new) with the hopes of being a pentester. As a way of getting experience I was thinking of backend engineer to get my foot in the door but I am unsure and COMPLETELY overwhelmed with the amount of stuff to learn that's out there. Is there a roadmap for pentesting to kinda determine where I am and where to go next?
Awesome video btw! I love the python malware analysis stuff
There is no roadmap at all, this industry doesn't have a laid out plan for what you should do and what you should learn. It doesnt fit the mindset of a pentester either. A pentester or even any one in the infosec industry should be by nature very curious and eager to learn anything.
@@boogieman97 That's crazy! But also really interesting thank you for clearing that up! I'm pretty eager to learn as much as I can I guess I just worry about all the time I wasted not getting into this industry at a younger age and want to "supercharge" my way to catch up if that makes sense? Anyways, I'll keep that in mind thank you!
@@Sl33pySage Trust me when I say you're not behind if you're starting at a young age, I started at 15 and am still working my way to being a good pentester. Just enjoy the journey as there is a lot to have in store. Lots of cool knowledge that makes you feel awesome when you pull it off! Welcome to the world of cybersecurity!
@@Sl33pySage not sure where you're at since this was almost a year ago, but it's really never too late. Almost 30 and starting a job with a cybersecurity application startup in 1.5 weeks. I'll still only be in support, but it's as an engineer so it's still its on the path! I started out in biotech, and hit a deadend there. After floating around not really knowing what to do, as you said I eventually pulled a complete 180 because of videos like from @_JohnHammond.
If you're interested my path was the following: studied the Network+ and A+ (still don't have the certs for them tho 😬decided a degree was more important), did some side projects and self study, got a wfh support call center job as a temp, worked hard to be hired on full time to their implementations department, and used their tuition reimbursement to go to school a bit. Then the company started to act shifty so I applied to a bunch of new jobs, advertised my new skills and talking about the school and personal projects during the interviews, then that was that! I made it real clear in the interviews that I need to learn a bunch still, and they said that seems like what they're looking for, so I'm hoping with this I'll get much more familiar with the field and actually work closer to the tech than ever.
Like boogieman97 said, there's no real set path, and yeah it's a great analogy for the hacker's attitude of making it work for you, so you could look at it as practice for that mindset :)
Subscribed + Like material. UA-cam content that are put like this are great! Keep up the good work.
This was really educational.
You taught me how the \something\ part works.
Unintended purpose of your video, but I just used the Py-Fuscate and your method of getting the information out to create a challenge for a CTF I'm running at my college in a month.
AWESOME CTF challenge idea!!! 🔥🤩
I appreciate your support. TANK YOU.
16:17 Hey, it's even protected specifically against you, it detects if the username is "John" or the PC name is "John-PC"!
Actually, most of malwares do that, to bypass sandboxes like Triage, Anyrun, VirusTotal.
If name is like John, it will NOT execute malware
@@ImTimmy228
Many do that, yes.
But of the samples John pulled apart this is the only one I know of. And I've watched many of his videos and I've actually pulled apart some malware samples myself, this is the first one I know of that does protect itself against debugging.
16:34 I'm relieved to see it won't detonate on "JOHN-PC"
I don't think the webhook spam actually worked. The reason your Discord got broken is because *you* sent too many requests, so they started blocking every action from the IP address. You can even see the 429 response codes in the network log
This is true, I borked it when I tested it against myself.
@@_JohnHammond btw if you send a get request to the webhook url it tells you the guild and channel id it's set at
not really useful for anything other than reporting though, and I've learned not to count on discord staff
I'm curious why they can't do this for cheaters in games, I have always said they should just block or in some other way limit the possibilities from a particular IP address when dealing with hackers in CoD etc.
@@lfcbpro Changing your IP address is easy, and many people may share the same IP address. It's just not worth it.
@@lfcbproLike Checkium said, IP addresses are dynamic. Hardware bans are also ineffective, and can also lead to things like re-sale of HWID banned PC to someone who isn't a cheater, but they place the games the cheater is banned on. So essentially, innocent people wasting their money on a PC that they can't use for what they bought it for, because of the previous owner.
John, I love all your content and it is really inspiring me to become a pentester. I was wondering if you could do a video on all the add-ins/extensions you use within your browsers? It would be cool to see what tools you use. THank you
Penetration Tester
@Thawne penetration tester (white hat hacker basically)
In the VM checker it had ‘John PC’ think there getting wise to you 16:25
Best defense from now on is making sure that your main OS is looking like a virtual machine. Perfect.
or just using a VM at all times
That's pretty funny actually. QubesOS reasonably secure indeed.
Half of the time I don't know what's going on but I still enjoy these videos
New upload, I'm happy now.
That Py-fuscate script is pretty cool
the funny thing is you can just disguise your machine as a VM and it won't run
lmao
Pretty common, actually. It's an anti-analysis technique.
john hammond's definitely been working out
Thanks John!
You can easily check, if a webhook is active, if you just open the link in a browser.
these are very easy to make ive made one before people call them a "stub" its crazy how easy it is js one click of a button and paste ur webhook n boom js like that u have an exe file that takes all info passwords location ip etc
Hey IDK if you saw john, but they put your name in it also. At 16:29 It looks like anyone who might try to look what it does....
Some of those ips / computer names are virustotal machines and stuff.
Oh my god..this is the first time I’m being first for a video!
I love this
In the future if you get a discord webhook you can actual curl it and it will tell you its server info and you can report it to discord
you can also add webhook in the url bar and it'll show you the same result as cUrl
@@ChrisTheCringe true
You can send a DELETE request to the webhook url to delete it!
from another comment it looks like someone has already deleted it
Great Video. Fire!!!!!
@15:34 Wow, they're not even listing Firefox. Wonder if that's because it doesn't use Chromium or because they think it's too small to be relevant.
i love reverse engeneering, did it called that way?
Just awesome
I was hacked with exactly THIS Malware, The Hacker grabs all of token Email Adresses, Codes, Passwords etc etc. I was locked out of my own Privacy
Me too, me too !! I am dealing with this now.
@@maybemolly237 u're struggling?
Being open source you can basically add ways to mitigate the methods they steal info
what i once did is i sent a link to invite a bot to "help the grabber", of course it was my dummy bot but the owners added it and i tracked down what server it was in.
If are to write such malware why upload it to Git public repository? This is ignorance at its prime, and thank God for that :) Good work, once again, Mr. Hammond.
Someone writing sophisticated code like this obviously didn't just upload it there with no reasoning behind it. They most likely genuinely want others to see it... AND use it. AND contribute to it to help make it more dangerous.
@@Infamous159 hes a skid. "trying to help the world out". he can't code at all.
"It worked on my host" his youtube channel turns into a crypto channel in a week.
So is there a way for someone to steal a discord token without using a link that the user must click on first? Any application or browser based exploits? Or is it as simple as 'don't click on links you don't trust' to remain safe from having your token or credentials stolen?
My buddy got hit by this last year; dummy got hit up from a random discord user asking him to "try this game I created", easy 300 bucks to the scammer. Cool to see what the capabilities of the malware was.
If it was an exe, then it was a different malware. Python code packed into an exe doesn't come in script form, it comes as bytecode with it's own portable python.exe
@@nordgaren2358 You can definitely package a Python script into a single-file exe, I've done it before.
de astea faceam eu la TIC in generala
Quick everyone change their pc name to John-PC
13:49 wait... what if you were to rename any of those exe's to random stuff and then run them? would it not kill them, because the process name would be different? like when John has renamed calc.exe in other videos
Yes, but the average person is not going to think of that
@@mongmanmarkyt2897 It's actually a very common technique for reverse engineers, which is the average person who would be reverse engineering malware.
This is some real skid malware 💀
Yeah in fact. You have to install python to run it ;)
its all good when its for educational purposes.
Job master is power fill files,power is jon hemanth master&&hemanth master is power files full explanation video Power jon hemanthmaster 🔥🔥🔥🔥🔥🔥🔥🔥🔥
John Hammond, help me, I fell for this malware, but I'm not sure if I was infected, I disabled a bootable that was created and uninstalled discord
They stole every password in my browser and stole my discord and the email for it, then started messaging my family and friends to get them to download the link too. The link was them telling me it was to test a game.
When you click it, downlload the file, unzip and run, it asks for access to command prompt. Then nothing happens, no game, and then they have all your stuff.
bro i just had a total freak moment... im watching this and outta nowhere my cmd opened up for amdautoupdate... i thought i just got infected by a damn vid lmao
18:18 couldn't you look at the response discord gives you see if the webhook is still working
hey john i'd credit Exyl for the thumbnail image of the red discord logo which was created by him for his Discord call sound effect remix
I put it in the description just now. Thanks for the reminder! - Nordgaren
@@nordgaren2358 danke
Even if the webhook wasn't deleted I would be immune to it as my pc name is on the list of ones it won't run on lol
INTERESTING❗
I haven't used the marshal library before, but I did notice the red box in its Python documentation that says never to unmarshal code from an untrustworthy source. Running this on your host was risky!
if they were savvy they could have used a magic method to auto execute the code, avoiding extra exec calls. he is lucky that skids aren't savvy
16:54
line 1254 shows how much of a newbie the developer of the grabber is
(("VMware" or "VBOX") will always evaluate to "VMware", so "VBOX" is just useless nor will it be detected)
While true, even experienced people make simple mistakes like that. Look at the dummies that missed 1 single logic flaw that allowed for crypto smart contracts to get drained with reentrancy attacks.
Soooo cool.
Great vid
i wish you could use the webhook to join the server
What in the half life cmd was that
Wait, do people never check their addresss? Even when I know I don’t have the address, or I copy and paste I still make sure every letter is correct, just a fear of mine. But $400 in stolen money?
Do some mobile malware analysis
You are definitely more genuine than him :D
one very funny thing is that the music he was listening to is soma extremely stereotypical french drill from an artist who is know to be an absolute liar in his tracks
Which music?
so an edgy french skid? gotcha
15:29 and not one for gecko based browsers
I'm curious if it is wise to report users like that,
is it not possible that if all of the github's are reported that host code like this, that it will be harder to find the code etc, like you showed, which will limit the ability to check for bad actors, as against researchers or documenters of malware?
I agree, and also reporting code seems crazy to begin with
There's already plenty of detection tools for stuff like this, it's unnecessary to keep it up.
Meh, GH mods never delete repositories/accounts with malware, unless, of course, if request was from a large company. User/repo from video still active. Also I reported one user almost an year ago and he is still active...
You cannot report open source malware 🤨 it genuinely is educational and not illegal at all
I mean you can't really shut down someone's account for creating malware programs because it's not wrong to write them, just use them against people who have not given you explicit permission for such. Although ultimately it's up to Github themselves, and they do have the report option for it so I don't really know why they wouldn't.
user is still active as of today, March 9th. Github won't delete a user contributing to the security space. Malware is apart of that space and everyone needs to see how this malware works. Deleting it from GH would do nothing but harm as the owner still has the code on their local branches and now nobody can understand it to protect against if need be. The reality is. Users that get hit by it would probably never know and were never aware it could happen in the first place. Those that are aware are sophisticated users with some of them being us coming to watch hacking videos on youtube. We want to see that code. Not let it disappear.
you could have spammed the shit out of that webhook and then send a delete request
thats cool
Import os
Okay, where done here
amazing vid
23rd! Woohoo!
I belive you can actually delete discord webhooks, not just spam them
Yeah, I'm pretty sure ntts showed a website where you can get the webhooks deleted.
@@imnotmarbin he did
@@imnotmarbin You don't need that. just open your terminal and do a 'curl -X DELETE'.
@@Serpensin wait, without authorization header? interesting
@@daleryanaldover6545 if you have the webhook url, you can entirely control it, including changing the name and avatar of it. you can also just plainly delete it by sending a DELETE to the url, but that's less fun than spamming it to death
John how can I contact you ! I need to inform you something. It's seriously important for cyber Crime perspective. Can I dm you ?
I accidentally opened it and then there were passwords on my Discord server that I don't even know about xD
This is scary
Is it ethical / "pythonic" to run that os.system('pip') to install all dependencies? Feels illegal
no
but script kiddies don't know any better
❣️
So if you want to stay safe, you need to make your pc look like an virus analyzer...
200 iq move
Your coming my mobile I'm blind situation.power is class eyes is blind.
How can i know what server the webhook is joined in? And send me an invite to it i wanna know so i can troll the devs lol
(Not for stealing others peoples data)
I downloaded a file from an indian youtube channel, and i got a spyware from it,I only rebooted my pc without deleting the os and reinstalling it again, Am i safe?
Thanks for helping me
First❤❤
*I'm here for "Educational Purposes"
at 16:31 there is a username JOHN-PC so that he can't analyze the malware. :):
Unfortunately, the 429 indicates that your IP is being ratelimited by discord, so those messages likely never reached the stealer's webhook. That is why you could not delete any messages or do anything more in your testing channel; they were blocking you from using the API.
There's a way around their blocker tho, if I remember correctly, I think it's cloudflair. If you're using selenium, you can delete the cookies and cache. Doing so would bypass the block. That was for cloud flair, but I remember there was something for the discord API rate limiting as well for bypassing
This is true, I borked it since I had tested it against myself beforehand. :)
@@_JohnHammond lol I was messing with discord apis and malware a while back and was totally baffled as to why none of my API calls would ever work. A month later I found out 🤣
@@mastercodeon42 *proxie
@@huebnerite Nah, I don't think a proxy solves their API rate limiting, but I could be wrong tho
Ntts made a server like that one that you can't leave. Your gonna get your account banned
its black cap grabber
A very useful video, yet I think it will be more profitable to earn on the Crypton cryptocurrency now.
It really seems to be for education, I guess they are french students learning malware analysis
Yea, they came into the Discord, and posted here that they did it for educational reasons. It's just a shame that the malware is very potent (steals CC info and stuff). Would probably be a good idea to keep stuff like that out of the educational repos :P