SonicGlyde-Discord-Malware (Epsilon-Stealer Variant)
Recent updates of this malware have exposed that this is a variant of epsilon stealer.
A few of my friends got hit by this malware. Decided to reverse it to see what is under the hood.
.\virus_src includes downloads to the full source, dated by most recent update.
- Virus is an electron project, so I've extracted the relevant archives
- I've also done the work of deobfuscating some of the JS, disabling anti-dynamic code, and pulled the unencrypted sources from the payload, and stage-2 files from the server.
- password:
stuxorinfected
Summary
Malware is being distributed via a manual phishing in discord DMs using the stolen accounts to pivot to new victims. Linking users to: https://sonicglyde.com/ to download a fake game which is the aforementioned malware.
The malware is an nsis installer packaging an obfuscated electron app. The application decrypts the malicious code at runtime to grab discord tokens and browser credentials. Stage 2 involves downloading an injectable JS file that the app will use to replace discord's index.js. Injected js file will middle-man any account updates including password changes, email changes, 2fa activation, etc and also report these back to c2.
C2 server appears to be a proxy for telegram bot based on screenshots sent by the criminal to victims.
Once a victim is compromized, the author will use the account / browser information to ransom the user or pivot to others using their account. Likely to also be searching through browser data for any other accounts they can gain financially from including crypto exchanges, bank accounts, and healthcare info as well.
Newest virus hash: 547D78F6CF28F5D459052026C18BFEA3E5BA824361FED5DF3524CADBF103E555
spam_c2.py Features
- Generates random payloads to the c2, simply a POC, follow your local laws.
- Appears to depend on including most recent "duvet_user" header in payloads. Seems to function as some kind of version identifier but not exactly sure how this works under the hood since we can't see the server code.
- Another guess at what "duvet" is: could be some sort of telegram-hosted c2 that redirects exfiltrated payloads to the telegram user indicated by the "duvet_user" id. This seems to be some sort of malware as a service campaign where the authors are selling a "generator" tool and skids are using it. This is further indicated by the sheer number of variants I've seen of this.
- Request timeouts are expected error, as its likely the c2 just doesn't respond to posts
Disclaimer
This project is for educational purposes only. It is not intended to be used for malicious purposes. The user is responsible for their own actions. The simulated data generated by this program is designed to closely resemble the behavior of the malware, but it should not be used to cause harm or engage in any illegal activities.