Threat Research

KurayStealer: A Bandit Using Discord Webhooks

Securonix

KurayStealer is a Python-based malware builder that harvests passwords and screenshots and exfiltrates them to Discord via webhooks. The tool is offered in free and VIP versions, with OSINT linking the author to Spain and a presence on YouTube and Discord. #KurayStealer #Portu

Keypoints

  • The malware builder KurayStealer is written in Python and targets password theft, screenshot capture, and data exfiltration via Discord webhooks.
  • The first sample was detected on 27 April 2022, with the project advertised publicly via YouTube and Discord under the name “Portu.”
  • The builder performs a UUID check using the command “wmic csproduct get UUID” to determine user type and routing (free vs VIP).
  • Drops modules like DualMTS.py or DualMTS_VIP.py based on user type, including a bypass of protections in BetterDiscord by modifying strings to enable webhook posting.
  • It captures screenshots and geo-location, and harvests credentials from 21 software packages (e.g., Discord, Chrome, Opera, Brave, and more) before sending all data to Discord via webhooks.
  • Uptycs’ EDR with YARA detects KurayStealer and provides threat scores and detailed behavior in its advanced threat section, underscoring multi-layer security visibility needs.
  • OSINT indicates links to a Discord channel, commercial versions, and a YouTube demo from a Spanish creator, suggesting ongoing development and potential future variants.

MITRE Techniques

  • [T1059.006] Command and Scripting Interpreter: Python – The builder was identified as being written in Python and works in Python 3.0 (“Python 3000” or “Py3k”). – “The builder was identified… written in Python and works in Python 3.0 (a.k.a. ‘Python 3000’ or ‘Py3k’).”
  • [T1082] System Information Discovery – The malware checks the UUID using the command “wmic csproduct get UUID” to determine user type. – “Upon execution, the builder checks for the universally unique identifier (UUID) using the command “wmic csproduct get UUID”.”
  • [T1113] Screen Capture – The code takes screenshots of the victim machine using pyautogui and collects geo-location. – “DualMTS.py attempts to take the screenshot of the machine using the python module “pyautogui”… and the geo-location of the machine.”
  • [T1555] Credentials from Password Stores – The builder harvests passwords and tokens from 21 software packages, including Discord, Chrome, Opera, Brave, etc. – “It also harvests the passwords and tokens from a list of 21 software packages as follows: Discord, Lightcord, Discord PTB, Opera, Opera GX, Amigo, Torch, Kometa, Orbitum, CentBrowser, 7Star, Sputnik, Vivaldi, Chrome SxS, Chrome, Epic Privacy Browser, Microsoft Edge, Uran, Yandex, Brave, Iridium.”
  • [T1071.001] Web Protocols – Exfiltration of data via Discord webhook to the attacker’s channel. – “The harvested information including computername, geo-location, ipaddress, credentials and the screenshot of the victim machine is sent over to the Discord channel via webhooks.”
  • [T1036] Masquerading – Bypassing protections by modifying BetterDiscord strings to enable webhook posting. – “DualMTS.py attempts to replace the string “api/webhooks” with “Kisses” in BetterDiscord in an attempt to bypass the protection and send webhooks seamlessly.”

Indicators of Compromise

  • [Hash] 8535c08d7e637219470c701599b5de4b85f082c446b4d12c718fa780e7535f07 (c2.py) – initial KurayStealer sample
  • [Hash] 09844d550c91a834badeb1211383859214e65f93d54d6cb36161d58c84c49fab (DualMTS.py) – dropped module for functionality demonstration
  • [File name] c2.py, DualMTS.py, C2.exe – components dropped by the builder on infection
  • [URL] https://Discord.gg/AHR84u767J – Discord channel invite embedded in the builder for commercial versions and updates

Read more: https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks