Threat Actor Leveraging Discord Channel to Spread Malware
Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute different malware families such as stealer, proxyware, among others.
Recently, CRIL identified a malicious site hxxps://cloud-spoofer[.]xyz, which redirects the user to a discord channel where the announcement is made by the Threat Actor (TA) for selling the spoofer to get unban from FiveM. The FiveM is the mod project that allows gamers to play Grand Theft Auto V (GTA5) with custom multiplayer modes on customized dedicated servers.
Usually, the FiveM bans the players for a period of time whenever a gamer is suspected of cheating. Gamers use Spoofer tools to get unban from the platform and continue playing the game.
The above image shows that this Discord server was created on September 2022. Since then, TA has started selling Cloud Spoofer for 20-60 Euros based on user requirements. The TA has mentioned the price details for Cloud Spoofer in the “prices” section, as shown in the below figure.
Additionally, while investigating the TA’s Discord server, we observed that TA is offering a giveaway where the Discord channel members have to create a YouTube or TikTok video, mentioning the TAs discord channel link in the video description. This is a clever way of promoting the discord channel and also infecting a maximum number of users.
Along with the giveaway offer, the TA has also offered instant unban FiveM and provided a YouTube link in the verify section of the discord channel. To avail offer, the user has to subscribe to the TA’s Youtube channel, as shown in the figure below.
The TA has provided the free spoofer link in the YouTube video description, where users can visit and download it.
After visiting the link provided in the description, the user will be prompted to subscribe to the YouTube channel and like the video to get the download link, as shown in the below figure.
Once the user unlocks the download link, the site downloads a .rar file named Fivem_Spoofer.rar. The downloaded RAR contains a .exe file named Cloud Free.exe, a modified spoofer that downloads malicious files from the following links.
- hxxps://cloud-spoofer.xyz/AnyDesk[.]exe
- hxxps://cloud-spoofer[.]xyz/GameOverlayUI.exe
Interestingly, multiple users have posted screenshots of the subscribed Youtube channel to verify themselves to get the instant unban FiveM after TA’s offer post. This indicates that the users who have posted the screenshot might have been the victim of this malware.
Technical Analysis
Our analysis indicates that the TA has modified the spoofer tool and added extra code to download malicious files from the remote server.
Upon execution, the Cloud Free.exe file shows the following UI, allowing the user to enter the choice for performing several tasks such as spoofer, cleaner, global ban, etc.
While asking for a choice, In the background the modified spoofer silently installs additional malware from the remote server, saves them in the programData location, and executes them in the user’s machine, as shown in the figure below.
When victims enter the choice in the tool, it performs the corresponding task and also downloads malicious files parallelly, as shown in the figure below.
Our investigation shows that the modified spoofer downloads AsyncRAT malware from the URL hxxps://cloud-spoofer.xyz/AURLesk[.]exe. The AsyncRAT is a Remote Access Trojan (RAT) that allows TAs to control the victim’s machine. The functionalities of RAT include viewing and recording the victim screen, capturing keystrokes, shutdown/Restarting the machine, uploading, downloading, and executing files, etc.
The spoofer also downloads a stealer from the URL hxxps://cloud-spoofer[.]xyz/GameOverlayUI.exe, which steals browser-sensitive data from the victim’s machine.
Conclusion
The video game industry has been around for a very long time and has over 2 billion gamers worldwide. People in different countries choose gaming as a career and use different tools to play high-quality games. The increase in the number of gamers has attracted various malicious actors. The TA keeps finding new ways to target gamers using different malware.
According to our research, the TA uses different tricks to promote and spread the malware disguised as FiveM Spoofer. The TA is targeting GTA5 players who are using FiveM by distributing AsyncRAT and stealer malware. Gamers should be careful of such suspecting Discord servers and avoid downloading any tool from an untrusted source.
Our Recommendations
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Keep updating your passwords after certain intervals.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Collection | T1005 | Data from the Local System |
| Credential Access | T1555 | Credentials from Password Stores |
| Discovery | T1082 | System Information Discovery |
| Exfiltration | T1041 | Exfiltration Over C&C Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| f161af9b9caec7e99e85f924a4161514929b0b6ab176f66555cdb3274d5ca633 | SHA256 | Hash of the analyzed rar file |
| f3991147e742ba18a277f06900d3a9f73a471479 | SHA1 | Hash of the analyzed rar file |
| 2994e21b35be95d056130e28f2aaca4f | MD5 | Hash of the analyzed rar file |
| 205ed7d1eef37774c1b4499eec76b796f41edd256ac2e441afe3b0e144ef3f46 | SHA256 | Modified Spoofer Hash |
| ea52d2b743934c1d22d1994f98732ddc86001d3d | SHA1 | Modified Spoofer Hash |
| 7f4ec1579a0d3d05225226ad2321dcd3 | MD5 | Modified Spoofer Hash |
| 079b1480ebabfb06545ce9723616f8fd02640cca2ff2e300255509e28ae9db8b | SHA256 | AsyncRAT Malware Hash |
| a51a3c3aec182eb8cfd052eac0f56b31eaada03c | SHA1 | AsyncRAT Malware Hash |
| 67a7ebbc7c94ed3fbaad5cdac96a7997 | MD5 | AsyncRAT Malware Hash |
| b041a434b7700cdaa563c018c7d84e53a2f4ca98260518a15031dd44f65decd1 | SHA256 | Stealer Malware Hash |
| 54ef9f572a21698112107d1980c0a59fe68c4a16 | SHA1 | Stealer Malware Hash |
| f107bc215564928d5f76070f1686932b | MD5 | Stealer Malware Hash |
| hxxps://cloud-spoofer[.]xyz | URL | Malicious site |
