Hello XD ransomware now drops a backdoor while encrypting

13 tháng 6, 2022

Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.

First observed in November 2021, the particular family was based on the leaked source code of Babuk and engaged in a small number of double-extortion attacks where the threat actors stole corporate data before encrypting devices.


According to a new report by Palo Alto Networks Unit 42, the malware's author has created a new encryptor that features custom packing for detection avoidance and encryption algorithm changes.



This marks a significant departure from the Babuk code and highlights the author's intention to develop a new ransomware strain with unique capabilities and features for increased attacks.


Hello XD ransomware operation


The Hello XD ransomware operation is not currently using a Tor payment site to extort victims but instead instructs victims to enter negotiations directly through a TOX chat service.


In the latest version, the malware operators have added an onion site link on the dropped ransom note, but Unit 42 says the site is offline, so it might be under construction.


Hello XD ransom notes, old left, new right (Unit 42)


When executed, Hello XD attempts to disable shadow copies to prevent easy system recovery and then encrypts files, adding the .hello extension to file names.


Besides the ransomware payload, Unit 42 also observed Hello XD operators now using an open-source backdoor named MicroBackdoor to navigate the compromised system, exfiltrate files, execute commands, and wipe traces.


This MicroBackdoor executable is encrypted using WinCrypt API and embedded within the ransomware payload, so it's dropped to the system immediately upon infection.


Decrypting and dropping Microbackdoor (Unit 42)


Crypter and encryption


The custom packer deployed in the ransomware payload's second version features two layers of obfuscation.

The author has derived the crypter by modifying UPX, an open-source packer that numerous malware authors have widely abused in the past.


UPX packing (right) and custom packing (left) (Unit 42)


The embedded blobs decryption involves using a custom algorithm containing unconventional instructions like XLAT, while the API calls in the packer are weirdly not obfuscated.


The most interesting aspect of the second major version of Hello XD is switching the encryption algorithm from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna.


Babuk encryption (left) and Hello XD 2.0 encryption (right) (Unit 42)


Additionally, the file marker in the second version was changed from a coherent string to random bytes, making the cryptographic result more powerful.


What we should expect


At this time, Hello XD is a dangerous early-stage ransomware project currently being used in the wild. Even though its infection volumes aren't significant yet, its active and targeted development lays the ground for a more dangerous status.


Unit 42 traced its origins to a Russian-speaking threat actor using the alias X4KME, who uploaded tutorials on deploying Cobalt Strike Beacons and malicious infrastructure online.


Samples of X4KME online presence (Unit 42)


Additionally, the same hacker has posted on forums to offer proof-of-concept (PoC) exploits, crypter services, custom Kali Linux distributions, and malware-hosting and distribution services.


All in all, the particular threat actor appears knowledgeable and in a position to move Hello XD forward, so analysts need to monitor its development closely.


Source: bleepingcomputer.com

Bạn cũng có thể quan tâm

4 tháng 6, 2024
Bộ định tuyến chơi game TP-Link Archer C5400X dễ mắc phải các lỗi bảo mật có thể cho phép kẻ tấn công từ xa, không được xác thực thực thi các lệnh trên thiết bị.
3 tháng 6, 2024
Ngày 27 tháng 5 Check Point đã cảnh báo rằng các tác nhân đe dọa đang nhắm mục tiêu vào các thiết bị VPN truy cập từ xa của Check Point trong một chiến dịch đang diễn ra nhằm xâm phạm mạng doanh nghiệp.
31 tháng 5, 2024
Công ty quản lý đơn thuốc Sav-Rx cảnh báo hơn 2,8 triệu cá nhân ở Hoa Kỳ việc họ đã bị vi phạm dữ liệu và dữ liệu cá nhân của họ đã bị đánh cắp trong một cuộc tấn công mạng năm 2023.
Thêm bài viết
Share by: