A dangerous malware dubbed Luxy was discovered, combining two destructive activities: stealing sensitive data and encrypting files for ransom.
The malware steals user passwords, browser details, cryptocurrency wallet information, and even gaming session files, and it also functions as ransomware, locking victims' files until a ransom is paid.
First discovered by K7 Labs, Luxy employs multiple modules that collaborate to infect and compromise systems.
Once installed, it searches for browser credentials and cookies, cryptocurrency wallet data, and even Minecraft and Roblox gaming session files.
This stolen data is stored in files that the malware stealthily collects and sends to the attackers.
The malware works by first determining whether it is running on a virtual machine (VM).
If it detects certain blacklisted systems or monitoring tools, it shuts down to avoid detection.
Luxy ensures that it can only run once per system by registering a unique identifier (mutex) and confirming internet access.
The stealer component is extremely effective at collecting data, specifically targeting browsers such as Chrome to steal cookies and passwords.
It also targets popular cryptocurrency wallets like Ethereum, Coinomi, and Exodus, as well as gaming session files from Minecraft and Roblox.
This stolen information can be used for more malicious purposes, such as identity theft and account takeovers.
After the stealing phase is completed, the ransomware module takes over. Luxy encrypts files on the victim's computer with AES256 and renames them with the “.luxy” extension.
For example, a file called “1.jpg” becomes “1.jpg.luxy.” After encrypting all files, Luxy sends a ransom note instructing victims to join a Discord server and pay for a decryption tool.
As in typical ransomware fashion, Luxy demands $980 to decrypt the files.
However, if victims contact the attackers within 72 hours, the cost is reduced by 50% to $490.
This creates a sense of urgency for victims to pay promptly in order to recover their files.