Cybercriminals are repurposing the open-source RedTiger penetration testing suite to create an information-stealing malware that primarily targets Discord users. The maliciously compiled binaries, which are given names related to gaming or Discord, steal a wide range of sensitive data from infected machines. This includes Discord authentication tokens, account profiles, payment details, and browser-stored credentials.
Once executed, the malware extracts Discord tokens and injects malicious code into the Discord client to intercept API calls and capture login events and financial transactions. It also harvests data from web browsers, takes screenshots, and scans the file system for specific document types. The stolen information is bundled into an archive and anonymously uploaded to a cloud storage service, with a link sent to the attacker via a Discord webhook.
The RedTiger-based stealer incorporates anti-analysis features, such as detecting debuggers and creating numerous random files to hinder forensic examination. While the exact distribution method is unclear, such malware is often spread through untrusted download sites, forums, or social media. Users are advised to avoid downloading software from unverified sources and to revoke Discord tokens, change passwords, and enable multi-factor authentication if they suspect a compromise.
Read more...