Description of Campaign
An updated version of the Hazard Token Grabber information stealer was discovered to target Discord users. The malware was discovered in 2021 and is available on GitHub.
The malware is developed using Python and uses webhooks to exfiltrate stolen information to a Discord channel. The data collected and exfiltrated includes system information, Discord tokens, and cookies and login credentials from the Chrome browser.

Our Threat Research team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Cyble and shared publicly.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check Trellix Insights for the latest IOCs.
 
Campaign IOC

Type	Value
SHA256	6925D86FDEDFF2065C33DF7806BA231D0D1C8F2D5246F1CAD343F37FEE54FE29
SHA256	4AC15D15FF16919A08770265C074E8E89B21C9B61CE6348072AA719E80B5ED06
SHA256	2441F2DF1789CFC48A170A7927D73B98D8676A65EB81F3B068E4C76C3B85E77A

Minimum Content Versions

Content Type	Version
V2 DAT (VirusScan Enterprise)	10394
V3 DAT (Endpoint Security)	4846

  
Detection Summary                               

IOC	Scanner	Detection
6925D86FDEDFF2065C33DF7806BA231D0D1C8F2D5246F1CAD343F37FEE54FE29	AVEngine V2	Generic pws.ahx
	AVEngine V3	Generic pws.ahx
	JTI (ATP Rules)	JTI/Suspect.196612!c2ea16d8bfec
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
4AC15D15FF16919A08770265C074E8E89B21C9B61CE6348072AA719E80B5ED06	AVEngine V2	Generic pws.ahx
	AVEngine V3	Generic pws.ahx
	JTI (ATP Rules)	JTI/Suspect.196612!7fdc0515d98f
	RP Static	Real Protect-PEFT!7FDC0515D98F
	RP Dynamic	-

 

IOC	Scanner	Detection
2441F2DF1789CFC48A170A7927D73B98D8676A65EB81F3B068E4C76C3B85E77A	AVEngine V2	Generic pws.aia
	AVEngine V3	Generic pws.aia
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

Minimum set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Endpoint Security - Advanced Threat Protection:
Host Intrusion Prevention:
Aggressive set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

VirusScan Enterprise - Access Protection Rules:
Host Intrusion Prevention: