AXLocker Ransomware Stealing Victim’s Discord Tokens
Ransomware is one of the most critical cybersecurity problems on the internet and possibly the most powerful form of cybercrime plaguing organizations today. It has rapidly become one of the most important and profitable malware families among Threat Actors (TAs). In a typical scenario, the ransomware infection starts with the TA gaining access to the target system. Depending on the type of ransomware, it can infect the entire operating system or encrypts individual files. The TAs will then typically demand payment from the victim for the decryption of their files.
While organizations are protecting themselves from ransomware attacks, new ransomware groups are also emerging proportionally every year. New ransomware groups are evolving by expanding the scope of their operations for financial gain. Multiple new ransomware groups have emerged recently, highlighting the widespread adoption of ransomware attacks by TAs for monetary growth.
Cyble Research and Intelligence Labs (CRIL) came across three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware.
Ransomware operators now have one newer tool, named AXLocker, which can encrypt several file types and make them completely unusable. Additionally, the ransomware steals Discord tokens from the victim’s machine and sends them to the server. Later, a ransom note is displayed on the victim’s system to get the decryption tool used for recovering the encrypted files.
We have taken the following sample hash for our analysis: (SHA256), c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c, which is a 32-bit GUI-based .NET binary executable targeting Windows operating systems as shown below.
Upon execution, the ransomware hides itself by modifying the file attributes and calls the startencryption() function to encrypt files, as shown below.
The startencryption() function contains code to search files by enumerating the available directories in the C:\ drive. It looks for specific file extensions to encrypt and excludes a list of directories from the encryption process, as shown in the figure below.
After that, the ransomware calls the ProcessFile function, which further executes an EncryptFile function with the fileName as an argument to encrypt the victim’s system files.
This ransomware uses the AES encryption algorithm to encrypt files. The figure below shows a ransomware code snippet searching and encrypting the victim’s files.
The image below shows the code snippet of the encryption function and the original/infected file content before and after encryption.
We observed that the ransomware does not change the file name or extension after the encryption. The image below shows the encrypted file of the ransomware after the successful infection on the victim’s machine.
After encrypting the victim’s files, the ransomware collects and sends sensitive information such as Computer name, Username, Machine IP address, System UUID, and Discord tokens to TA, as shown in the below figure.
For stealing Discord tokens, the malware targets the following directories:
- Discord\Local Storage\leveldb
- discordcanary\Local Storage\leveldb
- Opera Software\Opera Stable\Local Storage\leveldb
- Google\Chrome\User Data\\Default\Local Storage\leveldb
- BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
- Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb
It uses regex to find the Discord tokens in the local storage files and saves them in the list, then sends them to the Discord server along with other information using the below URL:
Finally, the AXLocker ransomware shows a pop-up window that contains a ransom note that gives instructions to victims on contacting the TAs to restore their encrypted files, as shown below.
Octocrypt is a new ransomware strain that targets all Windows versions. The ransomware builder, encryptor, and decryptor are written in Golang. The TAs behind Octocrypt operate under the Ransomware-as-a-Service (RaaS) business model and surfaced on cybercrime forums around October 2022 for USD400.
The Octocrypt ransomware has a simple web interface for building the encryptor and decryptor, and the web panel also displays the infected victim’s details.
The below figure shows a post made by the Octocrypt Ransomware Developer on a cybercrime forum
Ransomware Builder: Octocrypt
The Octocrypt web panel builder interface allows TAs to generate ransomware binary executables by entering options such as API URL, Crypto address, Crypto amount, and Contact email address.
TAs can download the generated payload file by clicking the URL provided in the web panel under payload details. The below figure shows the payload options to build the ransomware executable and generated URL to download the file.
The sample hash (SHA256), 9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344, was taken for this analysis.
Based on static analysis, we found that the ransomware is a console-based 64-bit GoLang binary executable. Upon execution, the ransomware initially ensures the system’s internet connection and then checks the TCP connection to access the API URL, as shown below.
After that, the malware starts the encryption process by enumerating the directories and encrypts the victim’s files using the AES-256-CTR algorithm, appending the extension as “.octo”.
Then, the ransomware drops the ransom note in multiple folders with the file name “INSTRUCTIONS.html”. Finally, the ransomware changes the victim’s wallpaper which displays a message that threatens the victim to send a ransom amount to a specific Monero wallet address, as shown below.
One more new ransomware dubbed “Alice” also appeared on cybercrime forums under the TAs project of “Alice in the Land of Malware”. The Alice ransomware also works under the Ransomware-as-a-Service (RaaS) business model. The Indicators of Compromise of this ransomware strain are unavailable in the wild.
The figure below shows TA’s advertisements on a cybercrime forum.
The TA sells this Alice ransomware builder for the prices listed below:
As specified by the developer on the forum, the below figure shows the functionality and advantages of Alice ransomware.
Ransomware Builder: Alice
The Alice ransomware builder permits the TAs to generate ransomware binary files with a customized ransom note. After entering the ransom message and clicking the “New Build” button in the builder, it will generate two executable files named “Encryptor.exe” and “Decryptor.exe”, as shown in the figure below.
Successful execution of Alice ransomware encrypts the victim’s files and appends the extension as “.alice”. Also, the malware drops ransom notes named “How to Restore Your Files.txt” in multiple folders.
The below figure shows the encrypted files and dropped ransom note by Alice ransomware.
Ransomware groups continue to pose a serious risk to firms, individuals, and even entire governments, as we recently observed in the case of Costa Rica. The victims are at risk of losing valuable data as a result of such attacks, resulting in financial and productivity loss. In extreme cases, compromising government and law enforcement credentials can even result in cyberwarfare with grave implications for national security and diplomatic relations.
CRIL has also observed a considerable increase in cybercrime through Telegram channels and cybercrime forums where TAs sell their products without any regulation. TAs are increasingly attempting to maintain a low profile to avoid drawing the attention of Law Enforcement agencies. Enterprises need to stay ahead of the techniques used by TAs and implement the requisite security best practices and security controls, or they will become the victims of increasingly sophisticated and aggressive ransomware.
Regularly monitoring the dark web and acting upon early warning indicators such as compromised credentials, accesses, and identifying vulnerabilities traded on cybercrime forums can forewarn enterprises of potential threats and allows them to take corrective action based on real-time, actionable threat intel. CRIL continuously monitors new ransomware campaigns and will keep our readers updated.
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Financial loss.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
Command and Scripting Interpreter
Windows Management Instrumentation
|Registry Run Keys / Startup Folder |
|Defense Evasion||T1497||Virtualization/Sandbox Evasion|
|Credential Access||T1528||Steal Application Access Token|
|Account Discovery |
System Information Discovery
File and Directory Discovery
|Impact||T1486||Data Encrypted for Impact|
|Command and Control||T1071||Application Layer Protocol|
Indicators of Compromise