Disaster Hackers poison source code from largest Discord bot platform - The Top.gg Discord bot community with over 170,000 members has been impacted by a supply-chain attack aiming to infect developers with malware that steals sensitive information.

  • 🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
Article / Archive by Bill Toulas on March 25, 2024 (2PM EST) [EDITOR'S NOTE: Some images are thumbnails. Please click on them for full image]
1711433205480.png
The Top.gg Discord bot community with over 170,000 members has been impacted by a supply-chain attack aiming to infect developers with malware that steals sensitive information.

The threat actor has been using several tactics, techniques, and procedures (TTPs) over the years including hijacking GitHub accounts, distributing malicious Python packages, using a fake Python infrastructure, and social engineering.

One of the more recent victims of the attacker is Top.gg, a popular search-and-discovery platform for Discord servers, bots, and other social tools geared towards gaming, boosting engagement, and improving functionality.

Checkmarx researchers discovered the campaign and note that the main goal was most likely data theft and monetization through selling the stolen info.

Hijacking top.gg maintainer account​

According to the researchers, the attacker's activity started back in November 2022, when they first uploaded malicious packages on the Python Package Index (PyPI).

In the years that followed, more packages carrying malware were uploaded to PyPI. These resembled popular open-source tools with enticing descriptions that would make them more likely to rank well in search engine results.

The most recent upload was a package named "yocolor" in March this year.
1711433226597.png
Packages used in the campaign (Checkmarx)
In early 2024, the attackers set up a fake Python package mirror at "files[.]pypihosted[.]org," which is a typosquatting attempt to mimic the authentic "files.pythonhosted.org" where the artifact files of PyPI packages are stored.

This fake mirror was used to host poisoned versions of legitimate packages, such as an altered version of the popular "colorama" package, with the goal of tricking users and development systems into using this malicious source.

The malicious packages uploaded to PyPI served as an initial vector to compromise systems. Once a system was compromised, or if the attackers hijacked privileged GitHub accounts, they altered project files to point to dependencies hosted on the fake mirror.

Checkmarx highlights a case from March where the attackers hacked the account of a top.gg maintainer, "editor-syntax," who had significant write access permissions on the platform's GitHub repositories.
1711433256885.png
Discussion on Discord about the hacked account (Checkmarx)

The attacker used the account to perform malicious commits to Top.gg's python-sdk repository, such as adding a dependency on the poisoned version of "colorama" and storing other malicious repositories, to increase their visibility and credibility.
1711433309240.png

Malicious commit to modify the requirements.txt file (Checkmarx)

Final payload​

Once the malicious Python code is executed, it activates the next stage by downloading from a remote server a small loader or dropper script that fetches the final payload in encrypted form.

The malware establishes persistence on the compromised machine between reboots by modifying the Windows Registry.
1711433324606.png
Registry modification for persistence (Checkmarx)

The malware's data stealing capabilities can be summed up in the following:
  • Targets browser data in Opera, Chrome, Brave, Vivaldi, Yandex, and Edge to steal cookies, autofill, browsing history, bookmarks, credit card details, and login credentials.
  • Searches for Discord-related directories to decrypt and steal Discord tokens, potentially gaining unauthorized access to accounts.
  • Steals from various cryptocurrency wallets by searching for and uploading wallet files in ZIP format to the attacker's server.
  • Attempts to steal Telegram session data for unauthorized access to accounts and communications.
  • Includes a file stealer component targeting files on Desktop, Downloads, Documents, and Recent Files based on specific keywords.
  • Leverages stolen Instagram session tokens to retrieve account details via the Instagram API.
  • Captures keystrokes and saves them, potentially exposing passwords and sensitive information. This data is uploaded to the attacker's server.
  • Utilizes methods like anonymous file-sharing services (e.g., GoFile, Anonfiles) and HTTP requests with unique identifiers (hardware ID, IP address) for tracking and uploading stolen data to the attacker's server.
1711433373321.png

Attack overview (Checkmarx)

All stolen data is sent to the command and control server via HTTP requests, carrying unique hardware-based identifiers or IP addresses. In parallel, it's uploaded to file-hosting services like Anonfiles and GoFile.

The number of users impacted by this campaign is unknown, but the report from Checkmarx highlights the risks of the open-source supply chain and the importance of developers checking the security of their building blocks.
 

Attachments

  • 1711433350282.png
    1711433350282.png
    107.3 KB · Views: 12
In the top.gg discord server, a heated debated went on after Alex (pistolswap on discord) posted about it.
1711433604596.png
After this, ukpm, one of the maintainers mentioned buffer (bufferization) and started pressuring him:
1711433666713.png
With buffer being confused, and ukpm still acting cocky:
1711433695903.png
Buffer, STILL being confused then realizes his Github account was compromised:
1711433762124.png1711433782591.png1711433801240.png1711433817864.png
Still, buffer was realizing his machine was compromised and had to clean it:
1711433860744.png1711433877289.png1711433899011.png1711433914073.png1711433925886.png
and the conversation ends there.

EDIT: They made an announcement about the issue here:
1711434430487.png
 
Last edited:
They should really look into adding GPG signing for packages and force the user of pip install to accept the signing key before installing, cache it and if the signing key changes, throw a shitfit so people know something happened.

Just stupid you can change the URL in requirements.txt to some bullshit and then update the version of colorama with some garbage hosted on a mystery meat lookalike domain and nobody is the wiser.

My idea isn't bulletproof but the current state of affairs is just Sad.
 
What is even the point of discord bots exactly?
They're mostly massive gimmicks like time waster games or chatbots that respond to specific messages at random. Basically pointless annoyances. Others are annoyances with a 'purpose', albeit a misguided one, like bots that won't even let you access a server without responding to some dumbass DM or clicking a sticker react. Of course, things like that are easily gotten around by the spambots they're trying to prevent. They're as much of a problem on the platform as bots were on Reddit several years ago. People that spend too much time on these platforms put too much effort into trying to 'expand their uses' or some shit.
 
What is even the point of discord bots exactly?
The same function as IRC bots for the most part:
automod features like anti-flood, suspicious links, etc.

There is one new feature which has high impact to average users but I don't know if this bot is impacted:
The capacity to pipe music into a voice channel.
 
China, Russia, someone else?

If it's going after secrets of that nature i'm guessing china as it's pretty much the only way they advance or "create" anything.
 
  • Like
Reactions: FierceBrosnan
Any day where d*scord pedos get their shit pushed in is a happy day for me.
I'm still waiting for a discord virus that impacts server admins, replacing expected program responses with walls of text that must be carefully mined for 20 minutes for the text input that will perform the input they originally wanted.
Smug assholes should be forced to pass "IQ check" bullshit they normalized to type every letter on their PC's and phones until they reformat and lose their data.
 
I'm still waiting for a discord virus that impacts server admins, replacing expected program responses with walls of text that must be carefully mined for 20 minutes for the text input that will perform the input they originally wanted.
Smug assholes should be forced to pass "IQ check" bullshit they normalized to type every letter on their PC's and phones until they reformat and lose their data.
I'm waiting for a discord virus that effects admins and owners of the platform specifically, so that their PC gets bricked and their HDD info forwarded to the hacker, so that he can confirm what kind of sick shit is on there.
 
For a bit I thought this was some massive nightmare internet breach thing again but it's literally just someone's account getting hijacked by some malware scammer trying to rake data by replacing the uploads of development help shit with shit that steals your credit card info. Still sucks for the people affected but thankfully it's not as bad as it could have been. For better or worse discord in all it's reddit groomer overlap infamy has kinda replaced skype in the sense a lot of friends/family of people will like only do calls through either that or a phone when not face to face so if some shit like that really went down it wouldn't be as great as people frame it as being.
 
Back