HelloXD Ransomware operators install MicroBackdoor on target systems

Experts observed the HelloXD ransomware deploying a backdoor to facilitate persistent remote access to infected hosts.

The HelloXD ransomware first appeared in the threat landscape on November 30, 2021, it borrows the code from Babuk ransomware, which is available in Russian-speaking hacking forums since September 2021. Unlike other ransomware operations, this ransomware gang doesn’t use a leak site, instead, it contacts victims through TOX chat and onion-based messenger instances.

The malware could target both Windows and Linux systems, in the recent attacks observed by security experts at Palo Alto Unit 42 team, the operators employed the open-source backdoor MicroBackdoor to maintain persistence on infected hosts.

The backdoor allows the attacker to browse the file system, upload and download files, execute commands, and also remove itself from the infected system. The analysis of the MicroBackdoor sample revealed an embedded IP address in the configuration, the IP belongs to a threat actor that is likely the developer: x4k (aka L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme).

“The ransom note was modified between the observed samples. In the first sample we encountered (Figure 3, left), the ransom note only linked to a TOX ID, whereas a later observed sample (Figure 3, right) links to an onion domain as well as a TOX ID (different from the one in the first version). At the time of writing, this site is down.” reads the analysis published by PaloAlto Networks.

The researchers discovered that the operators used two main packers for HelloXD ransomware binaries, a modified version of UPX, and a second packer consisting of two layers, with the second being the same custom UPX packer.

Unit42 researchers have observed two different samples of the HelloXD ransomware publicly available, a circumstance that suggests the malware is still under development. The first sample is quite rudimentary, with minimal obfuscation and typically paired with an obfuscated loader responsible for decrypting it through the use of the WinCrypt API before injecting it into memory. The second sample analyzed by the researchers is more obfuscated and is executed in memory by a packer instead of a loader.

Both samples implement similar functionalities because they borrow the came leaked Babuk source code.

“Unit 42 research encountered HelloXD, a ransomware family in its initial stages – but already intending to impact organizations. While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k. This threat actor is well known on various hacking forums, and seems to be of Russian origin.” concludes the analysis published by Unit 42. “Unit 42 was able to uncover additional x4k activity being linked to malicious infrastructure, and additional malware besides the initial ransomware sample, going back to 2020.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, HelloXD ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]