Cybercrime , Cybercrime as-a-service , Endpoint Security

AxLocker Ransomware Adds a Twist: Stealing Discord Tokens

Stolen Tokens Sold to Facilitate Scams Against Cryptocurrency and NFT Enthusiasts
AxLocker Ransomware Adds a Twist: Stealing Discord Tokens
AxLocker ransom note (Source: Cyble)

Discord users, beware your credentials getting stolen by ransomware.

See Also: OnDemand | Digital Doppelgängers: The Dual Faces of Deepfake Technology

While the Discord platform originally found favor as a community-building tool for online gamers, it's now being used by many different types of online communities, including cryptocurrency and NFT enthusiasts, to communicate via VoIP and instant messaging.

Enter attackers, seeking to steal individuals' Discord tokens from their PCs, lately by using a strain of ransomware called AxLocker.

Threat intelligence firm Cyble spotted the new crypto-locking malware, which it says uses "the AES encryption algorithm to encrypt files," followed by victims receiving a de rigueur ransom note. Cyble says the ransomware doesn't seem to be tied to a dedicated data leak site and appears to be offered for sale outright, rather than being developed by a ransomware-as-a-service operation that provides it to affiliates in return for a cut of every ransom payment.

"We could not find any traces of AxLocker in the dark web, being sold as RaaS," Cyble's threat intelligence team tells Information Security Media Group. "We believe it's stand-alone ransomware targeting consumers."

Security researcher Amigo-A reports that AxLocker appears to be the latest iteration of Maktub Locker from 2016, from which Iron Locker ransomware was built in 2018. Whether the same developer or group is behind each of these iterations isn't clear.

"This is a good catch by Amigo, and there is a possibility that the threat actor might have created this from Maktub code and added a few changes, including targeting Discord tokens," Cyble says. Similarities include a look-alike ransom note, although "AxLocker does not change the file extension, while Maktub does change it."

Prior to encrypting files, the ransomware looks in a number of directories - including ones used by Discord, as well as the Brave, Google Chrome, Opera and Yandex browsers - for Discord tokens. It then sends them to an attacker-controlled server, Cyble reports.

Do You Believe in Magic?

Targeting Discord users isn't new. Really, attackers will try to subvert any tool to run scams, including via instant messaging, Facebook, Twitter and Discord, which boasts 150 million monthly active users.

Rather than directly hacking tools such as Discord, attackers typically employ social engineering, aka trickery, to try and steal valuable information, such as an individual's financial details or credentials for accessing cryptocurrency services or wallets. Also common are scams in which a victim is told they've won a cryptocurrency sweepstakes - nothing suspicious there. After paying a small handling fee, targets are promised a bounty of free bitcoin or monero (see: Fraudsters Target Discord Users in Cryptocurrency Scam).

Discord Tokens for Sale

Stolen Discord credentials, like other types of stolen information, can be sold for profit.

Log marketplaces sell stolen Discord tokens - alongside pilfered payment card data, cryptocurrency wallet credentials and lists of passwords saved in browsers - in individual units known as a "bot." Such information isn't just targeted by the likes of AxLocker, but more broadly by various types of information-stealing malware (see: Cybercrime: Darknet Markets Live On, Even as Players Change).

"Discord tokens often get segregated from the pack of stealer logs" so they can be purchased separately, Cyble says. Such tokens, it adds, regularly get leaked or sold via cybercrime markets and forums such as BreachForums. Log marketplaces such as Genesis, Russia Market and 2easy have also offered an easy, automated way to buy such information.

What makes stolen Discord tokens valuable? "The compromised Discord account can host malicious files, and opens door for other malicious attacks," Cyble says. "Discord is a go-to platform for gamers, and NFT and cryptocurrency users, so compromising a Discord channel leads to several other attacks, including scams."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.