New AXLocker ransomware steals Discord authentication tokens

November 29, 2022
AXLocker Ransomware Malware Discord Gaming Authentication Tokens Hijacking

The new AXLocker ransomware strain is stealing Discord accounts of infected users of their previous attacks. Reports revealed that the new ransomware strain had added the Discord-stealing capability to the previously encrypted victims of their past attacks.

The threat actors exploited Discord’s authentication token feature on a user device. A user can use this token to log in or to issue API requests that recover information about the linked account. Attackers usually try to intercept these auth tokens, and they also allow any other hacker to take over accounts or abuse them for other illegal activities.

Discord has gradually become the go-to option for NFT platforms and crypto groups. Hence, many threat groups seek newer methods to infect the platform. In addition, scammers and fraudsters have increased their population in this landscape.

 

The AXLocker ransomware is now capable of two malicious activities.

 

Cybersecurity researchers explained that the AXLocker ransomware could encrypt a victim’s file and steal a victim’s Discord auth tokens. The malware used for its ransomware attack is common among threat actors.

If executed by a target, the ransomware will target the usual file extensions and exclude specific folders to not raise suspicions and trigger system alerts. For the encryption process, the AXLocker utilises the AES algorithm, but it does not include a filename extension on compromised files, so they appear with their common names.

The next phase of the attack is that the threat operators send a victim ID, data stored in a browser, system details, and Discord token to the attacker-controlled Discord account via a webhook URL.

The AXLocker ransomware will scan a set of directories and extract tokens through regular expressions to steal the Discord token. Finally, the victims will receive a pop-up window that includes the ransom note, telling them that their data was encrypted by the actors and informing them on how they could reach the threat actors to pay for a decryptor.

An unfortunate victim will be given by the ransomware operators two days to contact them, but the ransom asked by the actors will not be specified in the note.

Therefore, if a user identified the AXLocker within their devices, it is recommended to change the Discord password since it will invalidate the token stolen by the ransomware strain. Changing a password might not help recover the encrypted files, but it could still avoid further infection, especially in Discord accounts.

About the author

Leave a Reply