Share this article:
The malware seems like a silly coding lark at first, but further exploration shows it can wreak serious damage in follow-on attacks.
The NitroRansomware malware strain is shaking up the ransomware norm by demanding Discord Nitro gift codes from victims instead of actual money.
Discord is a VoIP, instant messaging and digital-distribution platform designed for creating communities. Users communicate with voice calls, video calls, text messaging, media and files in private chats or as part of communities called “servers.”
While it’s free, users can purchase an upgraded “Nitro” subscription for $9.99 that allows larger upload sizes, HD video streaming, better emoji options and the ability to “stand out” via promotions on servers.
The NitroRansomware operators are apparently extremely interested in Nitro subscriptions. Initially spotted by MalwareHunterTeam, other researchers looked into how the code works. It’s being distributed as a purported free gift-code generator for Nitro.
“Upon executing the ransomware, it will encrypt the victim’s file and will give three hours to them to provide a valid Discord Nitro [code],” explained Heimdal Security researcher Cezarina Chirica, in a Monday posting. “The malware appends the ‘.givemenitro’ extension to the filenames of the encrypted files. At the end of an encryption process, NitroRansomware will change the user’s wallpaper to an evil or angry Discord logo.”
According to an analysis by Bleeping Computer, the ransomware verifies that the provided Discord gift codes are valid, and decrypts the files using an embedded static decryption key. However, the three-hour limit appears to be a scareware tactic. If the timer ticks down to zero, no files are actually deleted.
The outlet’s analysis also pointed out that because the decryption keys are static, it’s possible to extract a decryption key from the executable itself, so there’s no real need to pay the $9.99.
Follow-On Attacks Possible
MalwareHunterTeam also noted that the malware steals Discord tokens from victims as well, which would allow attackers to hack Discord servers.https://platform.twitter.com/embed/Tweet.html?creatorScreenName=threatpost&dnt=true&embedId=twitter-widget-1&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdHdlZXRfZW1iZWRfOTU1NSI6eyJidWNrZXQiOiJodGUiLCJ2ZXJzaW9uIjpudWxsfX0%3D&frame=false&hideCard=false&hideThread=false&id=1383520782203031555&lang=en&origin=https%3A%2F%2Fthreatpost.com%2Fnitroransomware-discord-gift-codes%2F165488%2F&sessionId=5b43cd7da0e663e820a5343b8a0d43984ed80f74&siteScreenName=threatpost&theme=light&widgetsVersion=ff2e7cf%3A1618526400629&width=500px
And, “NitroRansomware also implements backdoor capabilities, allowing the hackers to remotely execute commands and then have the output sent through their webhook to the attacker’s Discord channel,” said Heimdal’s Chirica.
Chirica recommended that users infected with the ransomware immediately change their Discord password and perform an antivirus scan to detect other malicious programs added to the computer. And, also, users should check for new user accounts in Windows that they did not create and remove them if found.
Gift Cards: A Cybercrime Goldmine
Why gift codes? They can be resold, and also can be used for money laundering, researcher Kevin Beaumont pointed out.https://platform.twitter.com/embed/Tweet.html?creatorScreenName=threatpost&dnt=true&embedId=twitter-widget-2&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdHdlZXRfZW1iZWRfOTU1NSI6eyJidWNrZXQiOiJodGUiLCJ2ZXJzaW9uIjpudWxsfX0%3D&frame=false&hideCard=false&hideThread=false&id=1383740935427612679&lang=en&origin=https%3A%2F%2Fthreatpost.com%2Fnitroransomware-discord-gift-codes%2F165488%2F&sessionId=5b43cd7da0e663e820a5343b8a0d43984ed80f74&siteScreenName=threatpost&theme=light&widgetsVersion=ff2e7cf%3A1618526400629&width=500px
Stolen gift and loyalty codes and cards can be big business on the cyber-underground. In February for instance, gift cards from 3,010 companies showed up on a Russian-speaking illicit forum, according to Gemini Advisors. These included cards from Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target and Walmart.
These were worth around $38,000, Gemini noted – but they netted a bit less for the cybercriminals behind the cache. The starting bidding price of the stolen gift cards was $10,000, with a “buy now” price of $20,000. The gift cards were bought by another cybercriminal soon after the cards were posted for sale, according to the firm.
“Typically, compromised gift cards sell for 10 percent of the card value in the Dark Web; however, the 895,000 cards offered from the breach were priced at roughly 0.05 percent of the card value,” according to Gemini, in an early April report. This discrepancy likely means the gift cards were potentially carrying low balances, it added.
When it comes to monetization, cybercriminals basically have two options, according to Gemini: Purchase actual goods and resell them; or, sell the cards to a third-party gift card marketplace as in the example above.
“In [one] scheme, cybercriminals would use stolen payment cards to purchase gift cards and then sell the gift cards to Cardpool [a carding marketplace],” according to the report. “If a bank were to determine that the gift card had been purchased with a stolen payment card, they could connect with the merchant bank or gift card vendors that issued the gift card and request they void the gift card. Unfortunately, this process can prove cumbersome and time-consuming, making it a rare occurrence and granting cybercriminals a wider time window to pull off their scheme.”