Discordant Attack

The new “AXLocker” ransomware family not only encrypts victims’ files and demands ransom payment, but also steals infected users’ Discord accounts.

When a user logs into Discord with their credentials, the platform returns a user authentication token saved on the computer. This token can then be used to log in as a user or to issue API requests that retrieve information about the associated account.

Threat actors usually attempt to steal these tokens because they allow them to take control of accounts or, even worse, misuse them for further malicious attacks.

As Discord has become the community of choice for NFT platforms and cryptocurrency groups, the theft of a moderator token or other verified community member could allow threat actors to conduct scams and stealing funds.

AxLocker is a two-in-one threat

Researchers from Cyble recently analyzed a sample of the new AXLocker ransomware and discovered that it not only encrypts files, but also steals a victim’s Discord tokens.

As ransomware, there is nothing particularly sophisticated about the malware or the threat actors using it.

Once executed, the ransomware will target certain file extensions and exclude specific folders as shown in the image below.

Targeted files (left) and excluded directories (right)
Targeted files (left) and excluded directories (right) (Cyble)

When encrypting a file, AXLocker uses the AES algorithm, but it does not add a filename extension to encrypted files, so they appear with their normal names.

Next, AXLocker sends a victim ID, system details, data stored in browsers, and Discord tokens to the threat actors’ Discord channel using a webhook URL.

To steal the Discord token, AxLocker will scan the following directories and extract the tokens using regular expressions:

  • Discord\Local Storage\leveldb
  • discordcanary\Local Storage\leveldb
  • discordptb\leveldb
  • Opera Software\Opera Stable\Local Storage\leveldb
  • Google\Chrome\User Data\\Default\Local Storage\leveldb
  • BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
  • Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb
AXLocker input function
AXLocker input function (Cyble)

Eventually, victims receive a pop-up containing the ransom note, informing them that their data has been encrypted and how they contact the threat actor to purchase a decryptor.

The victims have 48 hours to contact the attackers with their identity card, but the amount of the ransom is not mentioned in the note.

AXLocker ransom note
AXLocker ransom note (Cyble)

Although this ransomware clearly targets consumers rather than business, it could still pose a significant threat to larger communities.

Therefore, if you find that AxLocker has encrypted your computer, you should immediately change your Discord password, as this will invalidate the token stolen by the ransomware.

While this won’t help you recover your files, it will prevent further compromise of your accounts, data, and the communities you’re involved in.


Source link