AXLocker, Octocrypt, And Alice: Leading A New Wave Of Ransomware Campaigns

Originally published by Cyble.

AXLocker Ransomware Stealing Victim’s Discord Tokens

Ransomware is one of the most critical cybersecurity problems on the internet and possibly the most powerful form of cybercrime plaguing organizations today. It has rapidly become one of the most important and profitable malware families among Threat Actors (TAs). In a typical scenario, the ransomware infection starts with the TA gaining access to the target system. Depending on the type of ransomware, it can infect the entire operating system or encrypts individual files. The TAs will then typically demand payment from the victim for the decryption of their files.

While organizations are protecting themselves from ransomware attacks, new ransomware groups are also emerging proportionally every year. New ransomware groups are evolving by expanding the scope of their operations for financial gain. Multiple new ransomware groups have emerged recently, highlighting the widespread adoption of ransomware attacks by TAs for monetary growth.

Cyble Research and Intelligence Labs (CRIL) came across three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware.

AXLocker Ransomware

Ransomware operators now have one newer tool, named AXLocker, which can encrypt several file types and make them completely unusable. Additionally, the ransomware steals Discord tokens from the victim’s machine and sends them to the server. Later, a ransom note is displayed on the victim’s system to get the decryption tool used for recovering the encrypted files.

Technical Analysis

We have taken the following sample hash for our analysis: (SHA256), c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c, which is a 32-bit GUI-based .NET binary executable targeting Windows operating systems as shown below.

Figure 1 – Static file details of AXLocker ransomware

Upon execution, the ransomware hides itself by modifying the file attributes and calls the startencryption() function to encrypt files, as shown below.

Figure 2 – AXLocker main function

The startencryption() function contains code to search files by enumerating the available directories in the C:\ drive. It looks for specific file extensions to encrypt and excludes a list of directories from the encryption process, as shown in the figure below.

Figure 3 – File extension to encrypt and directories to exclude from encryption

After that, the ransomware calls the ProcessFile function, which further executes an EncryptFile function with the fileName as an argument to encrypt the victim’s system files.

This ransomware uses the AES encryption algorithm to encrypt files. The figure below shows a ransomware code snippet searching and encrypting the victim’s files.

Figure 4 – AXLocker ransomware searching and encrypting files

The image below shows the code snippet of the encryption function and the original/infected file content before and after encryption.

Figure 5 – Encryption function and the original/encrypted file content

We observed that the ransomware does not change the file name or extension after the encryption. The image below shows the encrypted file of the ransomware after the successful infection on the victim’s machine.

Figure 6 – Encrypted file by AXLocker ransomware

After encrypting the victim’s files, the ransomware collects and sends sensitive information such as Computer name, Username, Machine IP address, System UUID, and Discord tokens to TA, as shown in the below figure.

Figure 7 – Exfiltrate victim stolen details

For stealing Discord tokens, the malware targets the following directories:

• Discord\Local Storage\leveldb
• discordcanary\Local Storage\leveldb
• discordptb\leveldb
• Opera Software\Opera Stable\Local Storage\leveldb
• Google\Chrome\User Data\\Default\Local Storage\leveldb
• BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
• Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb

It uses regex to find the Discord tokens in the local storage files and saves them in the list, then sends them to the Discord server along with other information using the below URL:

• hxxps://discord[.]com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75[Redacted]DJimbA7xriJVmtb14gUP3VCBBZ0AZR

Figure 8 – Grab function to Steal Discord tokens

Finally, the AXLocker ransomware shows a pop-up window that contains a ransom note that gives instructions to victims on contacting the TAs to restore their encrypted files, as shown below.

Figure 9 – AXLocker ransom note window

Octocrypt Ransomware

Octocrypt is a new ransomware strain that targets all Windows versions. The ransomware builder, encryptor, and decryptor are written in Golang. The TAs behind Octocrypt operate under the Ransomware-as-a-Service (RaaS) business model and surfaced on cybercrime forums around October 2022 for USD400.

The Octocrypt ransomware has a simple web interface for building the encryptor and decryptor, and the web panel also displays the infected victim’s details.

The below figure shows a post made by the Octocrypt Ransomware Developer on a cybercrime forum

Figure 10 – Post Made by the Octocrypt developer on Cybercrime Forum

Ransomware Builder: Octocrypt

The Octocrypt web panel builder interface allows TAs to generate ransomware binary executables by entering options such as API URL, Crypto address, Crypto amount, and Contact email address.

TAs can download the generated payload file by clicking the URL provided in the web panel under payload details. The below figure shows the payload options to build the ransomware executable and generated URL to download the file.

Figure 11 – Octocrypt builder and payload URL

Technical Details

The sample hash (SHA256), 9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344, was taken for this analysis.

Based on static analysis, we found that the ransomware is a console-based 64-bit GoLang binary executable. Upon execution, the ransomware initially ensures the system’s internet connection and then checks the TCP connection to access the API URL, as shown below.

Figure 12 – Checking system internet and TCP connection

After that, the malware starts the encryption process by enumerating the directories and encrypts the victim’s files using the AES-256-CTR algorithm, appending the extension as “.octo”.

Then, the ransomware drops the ransom note in multiple folders with the file name “INSTRUCTIONS.html”. Finally, the ransomware changes the victim’s wallpaper which displays a message that threatens the victim to send a ransom amount to a specific Monero wallet address, as shown below.

Figure 13 – Octocrypt changing desktop background

Alice Ransomware

One more new ransomware dubbed “Alice” also appeared on cybercrime forums under the TAs project of “Alice in the Land of Malware”. The Alice ransomware also works under the Ransomware-as-a-Service (RaaS) business model. The Indicators of Compromise of this ransomware strain are unavailable in the wild.

The figure below shows TA’s advertisements on a cybercrime forum.

Figure 14 – Alice ransomware post shared by TA on a Cybercrime Forum

The TA sells this Alice ransomware builder for the prices listed below:

Figure 15 – Alice ransomware price details

As specified by the developer on the forum, the below figure shows the functionality and advantages of Alice ransomware.

Figure 16 – Alice ransomware functionalities and advantages

Ransomware Builder: Alice

The Alice ransomware builder permits the TAs to generate ransomware binary files with a customized ransom note. After entering the ransom message and clicking the “New Build” button in the builder, it will generate two executable files named “Encryptor.exe” and “Decryptor.exe”, as shown in the figure below.

Figure 17 – Alice ransomware builder

Successful execution of Alice ransomware encrypts the victim’s files and appends the extension as “.alice”. Also, the malware drops ransom notes named “How to Restore Your Files.txt” in multiple folders.

The below figure shows the encrypted files and dropped ransom note by Alice ransomware.

Figure 18 – Encrypted files and dropped ransom note by Alice ransomware

Conclusion

Ransomware groups continue to pose a serious risk to firms, individuals, and even entire governments, as we recently observed in the case of Costa Rica. The victims are at risk of losing valuable data as a result of such attacks, resulting in financial and productivity loss. In extreme cases, compromising government and law enforcement credentials can even result in cyberwarfare with grave implications for national security and diplomatic relations.

CRIL has also observed a considerable increase in cybercrime through Telegram channels and cybercrime forums where TAs sell their products without any regulation. TAs are increasingly attempting to maintain a low profile to avoid drawing the attention of Law Enforcement agencies. Enterprises need to stay ahead of the techniques used by TAs and implement the requisite security best practices and security controls, or they will become the victims of increasingly sophisticated and aggressive ransomware.

Regularly monitoring the dark web and acting upon early warning indicators such as compromised credentials, accesses, and identifying vulnerabilities traded on cybercrime forums can forewarn enterprises of potential threats and allows them to take corrective action based on real-time, actionable threat intel.

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed To Prevent Ransomware Attacks

• Conduct regular backup practices and keep those backups offline or in a separate network.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take The Following Steps After The Ransomware Attack

• Detach infected devices on the same network.
• Disconnect external storage devices if connected.
• Inspect system logs for suspicious events.

Impact And Cruciality Of Ransomware

• Loss of valuable data.
• Loss of the organization’s reputation and integrity.
• Loss of the organization’s sensitive business information.
• Disruption in organization operation.
• Financial loss.

MITRE ATT&CK® Techniques

Indicators Of Compromise