[Aurornis]

These repos post to Discord webhooks to notify of newly compromised systems.

I’ve found Discord to be responsive to abuse complaints in the past. If someone wrote a simple script to download these repos and extract the Discord webhook links I bet you could get Discord to shut down their accounts.

In my past experience Discord was aggressive about this, going so far as to ban the accounts of people who had participated on those servers with clearly illegal purposes. They’ll come back and make new accounts again, of course, but having them lose all of their connected servers, history, and requiring them to update every single one of their malware drops should slow them down considerably.

[avodonosov]

> going so far as to ban the accounts

The responsible thing would be also to release all related data, icluding personal information (IP adresses, emails, list of contacts, chat logs) to investigation (police, etc)

[Aurornis]

I’m sure they report serious crimes and at least retain records for questionable activity.

I don’t get visibility into internal Discord operations, though. We just see that the perpetrators lost both their Discord server and their accounts disappeared from other Discords they were in. They angrily returned later with new usernames.

[avodonosov]

> I’m sure they report serious crimes and at least retain records for questionable activity.

Why are you sure? I really doubt it.

[Avamander]

That would be a tremendous amount of work, at best they might be forwarding it to some CERT. But I doubt even that. Shutting down the accounts is probably the best they can do.

[TechDebtDevin]

Doesnt really matter if the scammers are in bum fuck egypt (literally)

[avodonosov]

Law enforcement has ways to work across borders (international agreements, etc).

Such mechanisms should and will improve with time.

If a countly doesn't provide legal support against scammers, then the requesting country can reciprocate - declare green light for scammers agains the refusing country.

[anoncow]

We could lock such repos. No access (not even read-only) and disable accounts. That could also be semi automatic.

[encom]

Let's shut down Discord instead, for the good of all mankind.

[catsma21]

> extract the Discord webhook links

there's a large variety of malware, they don't all phone home the same way and they don't all phone home to discord

[Aurornis]

Did you read the linked article? The template they’re duplicating phones home via Discord.

I’m not saying every malware uses Discord. I’m talking about the article.

[catsma21]

i did, in fact, read the article. you said "a simple script to download these repos". the variety of malware would make the script not so simple, and not so effective.

[Aurornis]

> the variety of malware would make the script not so simple, and not so effective.

The article is about using scripts to identify and download the malware. They identified over 1000 matching repos, which would contain Discord webhooks in the script.

Scanning and identifying has already been done. That’s literally what the article is about.

It’s right in the second paragraph:

> As soon as you download and launch any of these, all the data from your computer is collected and sent to some discord server

[catsma21]

yes, they identified spammy repos. you'd also need to identify which repos belong to which spammer groups, it's not just one person doing this (as mentioned in the article) -> they don't use the same malware. saying "sent to some discord server" is like saying "playing games on my nintendo". the malware is also obfuscated (as mentioned in the article) which makes identifying the home server harder with static analysis.

why don't we just send bad people to jail?

[Aurornis]

The web hook is in the templated script

From the article:

> The "trust" value, when base64-decoded, turns out to be a discord webhook link: myhook = 'https://discord.com/api/webhooks/1050437982584324138/VJByvmB...'

Collect all the scripts matching the template. Extract the “trust” variable. Decode base64. Send to Discord with proof of how it was obtained.

Discord then identifies the Discords matching those webhooks.

It’s not some hard static analysis problem. These are python scripts with a base64 encoded variable. I don’t understand why you’re making it out to be something other than what the article says.

[Liquix]

...why? what's the difference between "POST payload to discord webhook" vs. "POST payload to VPS rented anonymously"? it seems like an inexplicably bad decision to use a proprietary US service for your malware C&C

[Aurornis]

These are not sophisticated attackers.

Discord is free and easy. The notification pops up right where they’re already chatting with each other for 16 hours every single day.

Renting a VPS and writing custom software to accept a POST request requires a credit card, programming skill, and time.

[acedTrex]

These are not high effort malware distributors. Its very low hanging fruit done by script kiddies essentially.