A new ransomware family has been detected targeting the cryptocurrency community.
Cybersecurity researchers from Cyble recently discovered a strain they dubbed “AXLocker” which, aside from the usual encrypting of all files found on the endpoint, also ends up stealing Discord authentication tokens from the victims.
Discord is a communications platform that’s been around for quite some time, but has recently found new life in the cryptocurrency community. NFT projects, crypto tokens, and similar start-ups have chosen Discord as their communications platform of choice.
When a user logs into Discord, the platform installs a small token onto the computer, so that the user doesn’t need to authenticate every time they come back. Stealing this token would allow threat actors access to the victim’s account, even without knowing their passwords or other login details.
Other than that, AXLocker is nothing out of the ordinary. Once triggered, the malware (opens in new tab) targets specific file extensions and avoids some folders. It encrypts the files using the AES algorithm, but it doesn’t change their extensions – they remain with their normal filenames. It demands payment in cryptocurrency and gives users 48 hours to comply.
While the NFT and crypto community is used to cyberattacks and various criminals going after their digital belongings, stealing Discord tokens in the process makes this ransomware attack a lot more potent.
After all, should an owner, or developer, of such a project, have their Discord tokens taken, crooks could abuse their identity to launch fake campaigns and steal the community members’ NFTs and cryptocurrencies.
Still, according to BleepingComputer, the targets of AXLocker are first and foremost – consumers.
There was no word on AXLocker’s distribution method. Usually, threat actors would go for phishing emails, fake landing pages, and social engineering (fake LinkedIn identities, for example) to trick people into downloading and running the malware.
- Check out the best firewalls (opens in new tab) right now
Via: BleepingComputer (opens in new tab)