Cyble Research Labs has come across a new strain of malware performing stealing activities named Hazard Token Grabber. The initial version of Hazard Token Grabber was spotted in the wild in 2021, and we have observed an upgraded version now, which Threat Actors (TAs) are using to steal the user’s data. Both versions are available on GitHub for free.
During our OSINT threat hunting exercise, we came across over 2000 Samples related to this stealer present in the wild. Most of the samples seen in the wild are the actual Python source code of the malware used for compiling the binary, indicating that the malware has been used on a large scale. Interestingly few of the samples had either low or even zero detection.
As per the statement made by the Threat Actor (TA), it appears that an upgraded version of Hazard Stealer can be accessed by purchasing it on their Discord server or website. This indicates that the malware present on GitHub might not be that evasive, and the TA has only uploaded it there for advertisem*nt purposes. Figure 1 shows the statement made by the Threat Actor.
The number of samples related to Hazard stealer has increased significantly in the last three months, as shown below.
The figure below shows the file details of one of the recent samples we analyzed.
Technical Analysis
Builder:
Hazard Token Grabber is developed using Python, and the builder of this stealer supports Python version 3.10. The builder is a simple batch file that helps generate the payload and convert malicious Python script to a .exe file using Pyinstaller.
Payload:
The malware exfiltrates the data to a Discord channel using webhooks which can be modified through the configuration settings. The malware configuration also contains Flag variables and a list of programs to terminate during execution, as shown below.
The malware copies itself into the startup location to establish persistence and creates a random directory in the %temp% to store the stolen data.
Upon execution, the stealer checks the configuration settings and creates a list to append the function names whose flag is set to TRUE. After this, the malware creates a thread for each function present in the list to execute the malicious code parallelly.
Anti-debug:
The malware performs various checks to prevent debugging and terminates itself if malware is being debugged. The malware has a list of a few hardcoded values such as hardware ID, PC names, and usernames to exclude them from infection. The figure below shows the hardcoded lists
The malware also checks for the disk size of the victim’s system. If it’s below 50GB, it terminates itself. It then reads the following registry keys for identifying the Virtual environment.
SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum
HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc 2> nul”)
HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\ProviderName 2> nul”)
Data Harvesting:
The malware then proceeds to scan for the presence of a Discord token protector, something that protects Discord tokens from malicious grabbers. To evade this, the malware checks for the presence of certain files such as DiscordTokenProtector.exe, ProtectionPayload.dll, and secure.dat. If these filesare present in the DiscordTokenProtector directory, the malware removes them. After this, the malware also modifies the config.json file present in the DiscordTokenProtector directory to bypass the token protector.
The Hazard token grabber then bypasses the BetterDiscord by replacing the string ‘api/webhooks’ with ‘RdimoTheGoat,’ as shown below.
Using the subprocess module, the malware spawns PowerShell for fetching the Windows activation key and product name by querying registry keys shown in the figure below. The malware then steals this data for exfiltration.
This malware targets over 20 applications with the express purpose of stealing Discord tokens which include:
Discord, DiscordCanary, Lightcord, DiscordPTB, Opera, OperaGX, Amigo, Torch, Kometa, Orbitum, CentBrowser, 7Star, Sputnik, Vivaldi, ChromeSxS, Chrome, EpicPrivacyBrowser, Microsoft Edge, Uran, Yandex, Brave, Iridium and Mozilla Firefox.
This grabber steals cookies and login credentials from the chrome browser only. The stolen credentials contain Domain, Username, and Password. The stolen data is saved in a text file which will be copied to the random folder created initially.
The malware uses the API hxxps[:]//discord.com/api/v9/users/@me and appends a Discord authorization token to identify Account information, such as email, mobile, and billing-related details. It also identifies the badge associated with the Discord account and writes all the harvested information into “Discord Info.txt”, as depicted below.
The Hazard token grabber reads the following registry key:
SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
to steal the Roblox studio cookie and writes the stolen data to the “Roblox Cookies.txt” file.
Data Exfiltration:
Hazard token grabber sends a request to hxxps[:]//ipinfo[.]io/json to identify the victim’s IP and Location. It also finds the victim’s Google Maps Location. The malware does not write this data to a file but instead sends this as a message on Discord.
Finally, the malware compresses the stolen data and exfiltrates it using webhooks specified by the TA.
Conclusion
In the course of our analysis, we witnessed some samples of Hazard Token Grabber, which were fully undetectable. As the stealer is also available on GitHub, it’s possible that other TAs can also utilize its source code to create a variant of this stealer. Hazard stealer has the capability to steal data from multiple applications; however, considering its specific functionality, the primary target appears to be Discord users.
See Cyble Vision in Action
Our Recommendations:
- Avoid downloading applications from unknown sources.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Update your passwords periodically.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Persistence | T1547.001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder |
| Credential Access | T1555 T1539 T1528 | Credentials from Password Stores Steal Web Session Cookie Steal Application Access Token |
| Collection | T1113 | Screen Capture |
| Discovery | T1087 T1518 T1057 T1124 T1007 T1614 | Account Discovery Software Discovery Process Discovery System Time Discovery System Service Discovery System Location Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 2e434a36c1c3df178e3d19a66e871144 d079bcd90c03088e9c5e77084f8e4c385557db6b 2441f2df1789cfc48a170a7927d73b98d8676a65eb81f3b068e4c76c3b85e77a | MD5 SHA1 SHA256 | Payload |
| 7fdc0515d98ff7d113ce68cccf29ae12 3f4966ec6ecc8973702f32e51eb766dda737f2d0 4ac15d15ff16919a08770265c074e8e89b21c9b61ce6348072aa719e80b5ed06 | MD5 SHA1 SHA256 | Payload |
| c2ea16d8bfec78e1b2bf4322df0f63bd 083f1d520e8524d778e1c52b4cbdd5986ca6365c 6925d86fdedff2065c33df7806ba231d0d1c8f2d5246f1cad343f37fee54fe29 | MD5 SHA1 SHA256 | Payload |
