AXLocker ransomware doesn’t change files’ extensions

Summary

  • Discovered in November 2022
  • Encrypts victims’ files with AES-128-CBC algorithm
  • Steals credentials from Discord and browsers
  • Discovers user and PC name, IP addresses and UUID
  • Exfiltrate discovered information to the Discord server
  • Doesn’t change files’ extension

Introduction

AXLocker is a ransomware that was found by malware researcher ‘S!ri,’ who posted it on Twitter. Later, it was discovered that AXLocker does not only encrypt files but also steals victims’ Discord credentials and uploads them to its own Discord server. Specifically, the AXLocker ransomware steals tokens stored on a local computer when the user logs in to Discord. It’s not packed or obfuscated.

Acronis

The file manifest is written in Czech.

Acronis

Execution

Once executed, AXLocker modifies its own attributes to hide itself.

Acronis
Acronis

Next, AXLocker calls the startencryption() function, which will enter the “C:”' drive and encrypt the content.

Acronis

The ProcessDirectory() function checks all folders on the “C:” drive. It contains the saved list of folders that must be skipped during encryption; during execution, the saved list of folders will be compared with those that are found.

Acronis

File encryption

When AXLocker finds a file, it calls the ProcessFile() function, which compares the file extension with its own hardcoded list of extensions. If there is a match, the file will be encrypted; if not, it is skipped.

Acronis

The stored list of file extensions:

"7z","rar","zip","m3u","m4a","mp3","wma","ogg","wav","sqlite","sqlite3","img","nrg","tc","doc","docx","docm","odt","rtf","wpd","wps","csv","key","pdf","pps","ppt","pptm","pptx","ps","psd","vcf","xlr","xls","xlsx","xlsm","ods","odp","indd","dwg","dxf","kml","kmz","gpx","cad","wmf","txt","3fr","ari","arw","bay","bmp","cr2","crw","cxi","dcr","dng","eip","erf","fff","gif","iiq","j6i","k25","kdc","mef","mfw","mos","mrw","nef","nrw","orf","pef","png","raf","raw","rw2","rwl","rwz","sr2","srf","srw","x3f","jpg","jpeg","tga","tiff","tif","ai","3g2","3gp","asf","avi","flv","m4v","mkv","mov","mp4","mpg","rm","swf","vob","wmv"

As the name suggests, the ‘EncryptFile()’ function encrypts files. The number of encrypted files will be counted, and later sent to the server.

Acronis

First, AXLocker loads the stored password, which is used to derive an encryption key:
'WnZr4u7xh60A2W4Rzt'

Then it calls the AES_Encrypt() function which encrypts files using the AES-128-CBC algorithm. AXLocker does not change file extensions after encryption.

Acronis

Data collection

Besides file encryption, AXLocker can steal Discord tokens by scanning certain directories:

Acronis

When the malware enters the found folder, it searches files with the ‘.ldb’ extension — a lock information file created when a user opens a database. Then the malware uses RegEx to search for particular information in these files. If information found matches, it is saved to the list.

Acronis

In addition to the tokens, AXLocker is looking for more information — such as computer and user names, IP addresses and UUID — to be sent to the server.

Acronis
Acronis
Acronis

Network activity

To obtain a victim's IP address, AXLocker connects to ‘https://api.ipify.org, which is a public service for obtaining IP addresses and geolocation.

Acronis

When all information is collected and files are encrypted, it sends data to the Discord server:

https://discord.com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75CB6gzTyFE72NQ0DJimbA7xriJVmtb14gUP3VCBBZ0AZR

Acronis
Acronis
Acronis

The content of the HTTP request is shown below:

Acronis

Ransom note

A ransom note is stored in the resource section, and is not dropped as a file but is opened in a new window. The note contains a timer (which counts down until the victim must pay the ransom), a unique ID and an email address to contact the threat actors. The amount of the ransom is not mentioned; victims must contact the attackers first.

Acronis

Conclusion

AXLocker is a form of ransomware that can steal Discord tokens and exfiltrate other information such as computer and user names, IP addresses and UUID. Discord is a VoIP and messaging platform and it is popular with not only gamers, but also with the cryptocurrency community and other areas dealing with money.

Stealing accounts may allow the threat actors to scam other members and steal funds, and these accounts can be used in further attacks. Unusually for ransomware, AXLocker does not change files’ extensions. The ransom note does not contain any mention of the Discord account, so it is unclear if the threat actor will use the stolen account after the victim pays the ransom.

Detected by Acronis

Acronis
Acronis

IoCs

Files

SHA256
c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c
d51297c4525a9ce3127500059de3596417d031916eb9a52b737a62fb159f61e0
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224
9e95fcf79fac246ebb5ded254449126b7dd9ab7c26bc3238814eafb1b61ffd7a
d9793c24290599662adc4c9cba98a192207d9c5a18360f3a642bd9c07ef70d57

Network indicators

URL
https://discord.com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75CB6gzTyFE72NQ0DJimbA7xriJVmtb14gUP3VCBBZ0AZR
https://api.ipify.org
https://i.ibb.co/0frTD92/discord-avatar-512.png