The Hello XD ransomware has seen an uptick in activity, according to security researchers, and its operators are now using an improved version with greater encryption.
The family, which was first discovered in November 2021 and was based on Babuk’s leaked source code, was used in some double-extortion assaults in which threat actors acquired corporate data before encrypting devices.
The malware’s originator, according to a new report from Palo Alto Networks Unit 42, has produced a new encryptor with unique packing for detection avoidance and encryption algorithm tweaks.
This is a substantial deviation from the Babuk code, indicating the author’s goal to create a new ransomware strain with unique capabilities and characteristics to allow for more attacks.
Hello, XD ransomware attack
Instead of using a Tor payment site to extort victims, the Hello XD ransomware operation instructs victims to begin discussions directly over a TOX chat facility.
The malware operators have included an onion site link to the dropped ransom message in the latest version, although Unit 42 reports that the site is currently offline, implying that it is under construction.
Hello XD encrypts files and adds the.hello extension to file names after attempting to disable shadow copies to prevent easy system recovery.
Apart from the ransomware payload, Unit 42 saw Hello XD operators navigating the compromised machine, exfiltrating files, executing commands, and wiping traces using an open-source backdoor called MicroBackdoor.
This MicroBackdoor executable is encrypted with the WinCrypt API and included within the ransomware payload, so it’s placed onto the machine right away.
Encryption and cryptographer
The second version of the ransomware payload’s proprietary packer has two layers of obfuscation.
The crypter was created by modifying UPX, an open-source packer that has been widely utilized by malware developers in the past.
The contained blobs are decrypted using a bespoke technique with unusual instructions like XLAT, whereas the packer API calls are strangely not obfuscated.
The most intriguing feature of Hello XD’s second major version is the move from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna as the encryption scheme.
In the second version, the file marker was changed from a coherent text to random bytes, resulting in a more powerful cryptographic result.
What should we anticipate?
Hello XD is now a dangerous early-stage ransomware project that is being deployed in the field. Its active and targeted development lays the groundwork for a more harmful state, even though infection quantities aren’t currently large.
Unit 42 was linked back to a Russian-speaking threat actor known as X4KME, who posted online guides on how to deploy Cobalt Strike Beacons and malicious infrastructure.
The same hacker has also advertised proof-of-concept (PoC) exploits, crypter services, custom Kali Linux distributions, and malware hosting and distribution services on other forums.
Overall, the threat actor appears skilled and capable of moving Hello XD forward, so analysts should keep a close eye on its progress.
