Hello XD ransomware now drops a backdoor while encrypting

Home/Ransomware, Security Advisory, Security Update, Tips/Hello XD ransomware now drops a backdoor while encrypting

Hello XD ransomware now drops a backdoor while encrypting

Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an stronger encryption .Instead, it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.

Hello XD Ransomware

HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems.

In the latest version, the malware operators have added an onion site link on the dropped ransom note. However, Unit 42 says the site is offline.

It was observed that one of the samples deployed MicroBackdoor, an open-source backdoor allowing an attacker to browse everything. The infection was employed for stealing corporate data before data encryption on the machine.

Unit 42 has observed x4k in various hacking and non-hacking forums, which has linked the threat actor to additional malicious activity such as:

  • Cobalt Strike Beacon deployment.
  • Selling proof-of-concept (PoC) exploits.
  • Crypter services.
  • Developing custom Kali Linux distros.
  • Hosting and distributing malware.
  • Deployment of malicious infrastructure.

The most interesting aspect of the second major version of Hello XD

  • Switching the encryption algorithm from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna.
Reference : paloaltonetworks

Unit 42 research encountered HelloXD, a ransomware family in its initial stages – but already intending to impact organizations

Indicators of Compromise for Hello XD Ransomware

HelloXD Ransomware samples

435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589
ebd310cb5f63b364c4ce3ca24db5d654132b87728babae4dc3fb675266148fe9
65ccbd63fbe96ea8830396c575926af476c06352bb88f9c22f90de7bb85366a3
903c04976fa6e6721c596354f383a4d4272c6730b29eee00b0ec599265963e74
7247f33113710e5d9bd036f4c7ac2d847b0bf2ac2769cd8246a10f09d0a41bab
4e9d4afc901fa1766e48327f3c9642c893831af310bc18ccf876d44ea4efbf1d
709b7e8edb6cc65189739921078b54f0646d38358f9a8993c343b97f3493a4d9

Follow us for more, Facebook, Twitter, LinkedIn and Instagram

By | 2022-06-17T13:54:14+05:30 June 14th, 2022|Ransomware, Security Advisory, Security Update, Tips|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!