Short Summary:
This article discusses the implementation of RAT (Remote Access Trojan) malware using a Discord Bot, specifically the PySilon case. It highlights how the malware operates, maintains persistence, and collects sensitive user information while exploiting the Discord platform for communication and control.
Key Points:
- Discord is a platform for real-time communication and community building.
- A Discord Bot automates tasks on servers, enhancing server management and user interaction.
- The PySilon case exemplifies RAT malware implemented through a Discord Bot.
- The malware builder allows customization of server ID and bot token for deployment.
- Once executed, the malware creates a channel for the threat actor to control infected PCs.
- It maintains persistence by self-replicating and modifying the system registry.
- The malware can collect sensitive information, including personal and payment details.
- It supports functionalities like screen/audio recording, keylogging, and file encryption.
- Malicious bots can easily disguise themselves as legitimate tools, posing security risks.
MITRE ATT&CK TTPs – created by AI
- Credential Dumping (T1003)
- Collects user credentials including Discord tokens, emails, and passwords.
- Data Encrypted for Impact (T1486)
- Encrypts files using the Fernet algorithm, storing the key in the user folder.
- Remote Access Software (T1219)
- Utilizes Discord for remote access and control of infected systems.
- Process Injection (T1055)
- Executes commands and manipulates processes on the infected PC.
- Persistence (T1547)
- Adds itself to the RUN key in the registry to maintain persistence.
- Command and Control (T1071)
- Communicates with the threat actor via Discord channels for command execution.
Discord is a social platform where users can create servers to form communities and communicate in real-time, supporting voice, video, and text chat. While it initially gained popularity among gamers, it has now expanded into a space where groups with diverse interests gather to communicate.
A Discord Bot is a program that automatically performs specific tasks on user-created servers, offering various features such as server management, automated message responses, game facilitation, music playback, and notification delivery, making server operation easier. These bots are mainly implemented using languages like Python and JavaScript, and they interact with servers through the Discord API.
This post analyzes a case (PySilon) where RAT malware was implemented using a Discord Bot. The full source code of this RAT malware is publicly available on GitHub, and there are communities on platforms like its website and Telegram servers.
Figure 1. RAT malware builder program
The Builder supports customization by allowing users to specify information such as the Server ID and bot token needed for developing a Discord Bot, as well as the registry path and name where it will be installed on the system. Afterward, the custom information is entered into the pre-implemented Python code, and it is converted into an executable file (.exe) using PyInstaller.
Figure 2. Process of building customized RAT malware
When the executable file created in this way is run on a user’s PC, a new channel is created on the server made by the threat actor. The IP address and other system information are initially sent to the threat actor via chat, as shown in the image below.
A new channel is created for each PC infected by the bot, allowing the threat actor to control each infected PC individually.
Figure 3. System information sent by the initially installed bot to the threat actor
Figure 4. Maintaining persistence
When the built RAT malware is executed on the system, it self-replicates and is created in the user folder to maintain persistence (see Figure 4) and adds itself to the RUN key using the registry. This way, the malware continues to execute and resides in the system every time the PC starts. The threat actor can also customize and create the name of the folder used for self-replication.
Additionally, there is anti-VM logic that uses the names of files or processes present in the VM to implement its functions. The malware is set to recognize a virtual environment and not operate within it before performing its functions.
Figure 5. Available commands
Afterward, the threat actor can input the commands listed below into the chat of the created channel to perform additional malicious behaviiors.
Below are the main actions of the malware viewed from the threat actor’s perspective.
- Collecting information
Figure 6. Collecting information
The Grab command can be used to collect information from the system where the RAT malware is installed.
It collects the user’s personal information, including payment information, as well as browsing history and cookie information from the installed browser paths, and extracts various passwords to send to the threat actor.
Collectible information: Discord token, Nitro, MFA, email, phone number, password, cookie information, web page browsing history, etc.
- Screen recording and audio recording
Figure 7. Screen and audio recording files sent to the threat actor
It supports screen and audio recording in the infected PC using Python modules such as pyautogui, numpy, imageio, and sounddevice.
- Keylogging
Figure 8. Keylogging
It transmits the input content to the threat actor’s server when the user presses “Enter”.
- Folder encryption
Figure 9. Encryption/decryption commands
Figure 10. Key file created in user folder
It can encrypt files within a folder on the infected PC. It was found that the Fernet algorithm is used, and the key file necessary for decryption is stored in the user folder.
The encrypted files have a .pysilon extension, and no ransom note is created.
In addition to the aforementioned functions, it can manipulate the hosts file to create and manage a blacklist/whitelist of websites, upload/download files, execute cmd commands, start/terminate processes, and even use Windows native functions to trigger the blue screen of death (BSOD).
Open-source projects that implement malicious RAT functions using Discord, like PySilon, are continuing to be created. Since the source code is publicly available, threat actors can easily incorporate it into their bots and disguise them as useful tools. Additionally, because data is transmitted using official Discord servers implemented for normal bot functions, it is very difficult for users to realize that the malware is installed. Therefore, it is important to exercise caution when installing bots or programs from untrusted sources.
Source : https://asec.ahnlab.com/en/84107/