Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits the popular social platform Discord to maintain persistence on infected systems.
Discord, known for its real-time communication features, has become a hub for various communities beyond its gaming origins. However, its API capabilities have also made it a target for malicious activities.
Discord bots are automated programs that perform specific server tasks, ranging from server management to music playback.
As per reports by ASEC Lab, these bots are typically developed using programming languages like Python and JavaScript and interact with servers through the Discord API.
While they enhance user experience, they can also be manipulated for nefarious purposes.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
PySilon Rat Abusing Discord
PySilon represents a concerning case where RAT malware is implemented using a Discord bot.
The full source code of this malware is available on GitHub, raising alarms about its potential spread. Communities on platforms like Telegram further facilitate its distribution and customization.
The PySilon builder allows users to customize the malware by specifying details such as the Server ID and bot token required for creating a Discord bot. This information is embedded into pre-written Python code and converted into an executable file using PyInstaller.
When executed on a victim’s PC, the malware creates a new channel on the attacker’s server. It sends initial system information, including IP address details, via chat. Each infected PC gets a dedicated channel, enabling the attacker to control it individually.
Upon execution, PySilon self-replicates in the user folder to ensure persistence. It adds to the system’s RUN registry key, guaranteeing execution at startup. The malware can also customize the folder name used for replication.
PySilon contains anti-virtual machine (VM) logic, which allows it to detect virtual environments and avoid execution within them.
Attackers can execute various commands through the created channels, enabling them to perform malicious activities such as:
- Information Collection: The “Grab” command extracts personal data, including Discord tokens, browsing history, cookies, and passwords.
- Screen and Audio Recording: The malware captures screen and audio data using Python modules like pyautogui and sound device.
- Keylogging: It logs keystrokes and transmits them when the user presses “Enter.”
- Folder Encryption: PySilon encrypts files using the Fernet algorithm, storing decryption keys in user folders without leaving ransom notes.
PySilon’s open-source nature makes it easy for threat actors to integrate its code into seemingly benign bots. Since data transmission occurs via official Discord servers used for legitimate bot functions, detecting such malware becomes challenging for users.
The rise of open-source projects like PySilon highlights a growing trend of exploiting popular cybercrime platforms.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!