AxLocker Ransomware Adds a Twist: Stealing Discord TokensStolen Tokens Sold to Facilitate Scams Against Cryptocurrency and NFT Enthusiasts
Discord users, beware your credentials getting stolen by ransomware.
While the Discord platform originally found favor as a community-building tool for online gamers, it's now being used by many different types of online communities, including cryptocurrency and NFT enthusiasts, to communicate via VoIP and instant messaging.
Enter attackers, seeking to steal individuals' Discord tokens from their PCs, lately by using a strain of ransomware called AxLocker.
Threat intelligence firm Cyble spotted the new crypto-locking malware, which it says uses "the AES encryption algorithm to encrypt files," followed by victims receiving a de rigueur ransom note. Cyble says the ransomware doesn't seem to be tied to a dedicated data leak site and appears to be offered for sale outright, rather than being developed by a ransomware-as-a-service operation that provides it to affiliates in return for a cut of every ransom payment.
"We could not find any traces of AxLocker in the dark web, being sold as RaaS," Cyble's threat intelligence team tells Information Security Media Group. "We believe it's stand-alone ransomware targeting consumers."
Security researcher Amigo-A reports that AxLocker appears to be the latest iteration of Maktub Locker from 2016, from which Iron Locker ransomware was built in 2018. Whether the same developer or group is behind each of these iterations isn't clear.
"This is a good catch by Amigo, and there is a possibility that the threat actor might have created this from Maktub code and added a few changes, including targeting Discord tokens," Cyble says. Similarities include a look-alike ransom note, although "AxLocker does not change the file extension, while Maktub does change it."
Prior to encrypting files, the ransomware looks in a number of directories - including ones used by Discord, as well as the Brave, Google Chrome, Opera and Yandex browsers - for Discord tokens. It then sends them to an attacker-controlled server, Cyble reports.
Do You Believe in Magic?
Targeting Discord users isn't new. Really, attackers will try to subvert any tool to run scams, including via instant messaging, Facebook, Twitter and Discord, which boasts 150 million monthly active users.
Rather than directly hacking tools such as Discord, attackers typically employ social engineering, aka trickery, to try and steal valuable information, such as an individual's financial details or credentials for accessing cryptocurrency services or wallets. Also common are scams in which a victim is told they've won a cryptocurrency sweepstakes - nothing suspicious there. After paying a small handling fee, targets are promised a bounty of free bitcoin or monero (see: Fraudsters Target Discord Users in Cryptocurrency Scam).
Discord Tokens for Sale
Stolen Discord credentials, like other types of stolen information, can be sold for profit.
Log marketplaces sell stolen Discord tokens - alongside pilfered payment card data, cryptocurrency wallet credentials and lists of passwords saved in browsers - in individual units known as a "bot." Such information isn't just targeted by the likes of AxLocker, but more broadly by various types of information-stealing malware (see: Cybercrime: Darknet Markets Live On, Even as Players Change).
"Discord tokens often get segregated from the pack of stealer logs" so they can be purchased separately, Cyble says. Such tokens, it adds, regularly get leaked or sold via cybercrime markets and forums such as BreachForums. Log marketplaces such as Genesis, Russia Market and 2easy have also offered an easy, automated way to buy such information.
What makes stolen Discord tokens valuable? "The compromised Discord account can host malicious files, and opens door for other malicious attacks," Cyble says. "Discord is a go-to platform for gamers, and NFT and cryptocurrency users, so compromising a Discord channel leads to several other attacks, including scams."