A new malware campaign using npm registry as a mode of spreading. This Malware is debut as CursedGrabber. Its designed to steal Discord App Tokens, personal information such payment information and web browser files of the users. It is spread via xpc.js
package at npm repository, which is taken down at the time of writing. It is contains node component that execute lib2.exe as after install
node hook on windows.It written in C#.
Lib2.exe Debug File
Lib2.exe launch PowerShell.exe to download bundle-5.0.5.zip
which contains additional malware. It contain osloader.exe
with total of 36 files.
CursedGrabber (lib2.exe) Signatures
CursedGrabber (lib2.exe) Download
CursedGrabber (bundle-5.0.5.zip) Signatures
CursedGrabber (bundle-5.0.5.zip) Download