Good day All,

I ran a full deep scan today, and it detected a Trojan in the"index.js" file on the below path:

/Users/Home/Library/Application Support/discord/0.0.254/modules/discord_desktop_core

I ran a full malwarebytes scan (with the file restored), but it found nothing. I’ve also submitted the file to the virus lab.

Below are the virustotal results:

https://www.virustotal.com/gui/file/7149e6ede44455dc5313351ba9081de69d2e3c1059501f8084a6960fc52fc1d9/detection

Avast version: 14.4
Definitions: 20053100

Is this a false positive?

I ran a full malwarebytes scan (with the file restored), but it found nothing.

JS:AnarchyGrabber-A [TRJ] = a java script (JS) Malwarebytes does not target script, doc or media files

COMMUNITY
Basic Properties
MD5 a0297bfafe6f99ddbc563d9f0e5a9f75
SHA-1 5fc5801cdb0fbf4aad69bb9e6f7b8957f664e872
SHA-256 7149e6ede44455dc5313351ba9081de69d2e3c1059501f8084a6960fc52fc1d9
SSDEEP 3:3BBBbJmAj+Pe:xBBMXm
File type Text
Magic ASCII text, with no line terminators
File size 40.00 B (40 bytes)

History
First Submission 2018-01-13 15:53:10
Last Submission 2019-10-28 00:49:31
Last Analysis 2020-05-31 17:00:01

It is old, so seems like a False Positive

I found two articles from a few days ago regarding this file, and it would appear that Discord does have a vulnerability:

https://www.tripwire.com/state-of-security/security-data-protection/updated-anarchygrabber-steals-passwords-spreads-to-discord-friends/

https://www.informationsecuritybuzz.com/expert-comments/expert-on-anarchygrabber-trojan-update-stealing-discord-clients-passwords/

Since I am fairly certain that it is a false positive on my machine (based on the virsutotal results and that I haven’t opened Discord in a long time), I restored the file and opened it to look at the code. It opened my web browser and showed one line of code, exactly as indicated on the tripwire website.

After updating to the latest virus definition, Avast no longer detects the file, so everything is OK now.