Researchers discovered a new ransomware variant that not only encrypts the victim’s files but also attempts to steal data by enabling a Discord account takeover.
The “AXLocker” ransomware functions in a typical way, targeting certain file extensions with AES encryption, before extorting the victim and before encrypting, it steals the Discord tokens used by the platform to authenticate users when they enter their credentials to log-in to an account.
To steal the Discord token, AxLocker will scan the following directories for and extract tokens using regular expressions:
- Discord\Local Storage\leveldb
- discordcanary\Local Storage\leveldb
- Opera Software\Opera Stable\Local Storage\leveldb
- Google\Chrome\User Data\\Default\Local Storage\leveldb
- BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
- Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb
This enables the threat actors to hijack these accounts for follow-on fraud and malware propagation. The messaging platform is particularly popular among the gaming and crypto communities but is also a hotbed of malicious activity.
After sending the stolen Discord tokens to an external server and encrypting the victim’s files, AXLocker will show a pop-up window containing the ransom note, with a timer ticking down until the decryption key is deleted.
Threat actors are increasingly attempting to maintain a low profile to avoid drawing the attention of law enforcement agencies.
Enterprises need to stay ahead of the techniques used by threat actors and implement the requisite security best practices and security controls, or they will become the victims of increasingly sophisticated and aggressive ransomware.
this research was documented by researchers from Cyble
Indicators of Compromise