Cybersecurity researchers have discovered a new variant of the HelloXD ransomware that features stringer encryption and installs an open-source backdoor on compromised systems to maintain an additional foothold.
First spotted in November 2021, the HelloXD ransomware family is based on source code of the well-known Babuk Locker ransomware, which was leaked in June 2021. Unlike other ransomware operations, HelloXD doesn’t have its own leak site, but rather points the impacted victim to negotiations through TOX chat and onion-based messenger instances.
Palo Alto networks’ Unit 42 discovered the new HelloXD sample, which deployed MicroBackdoor, an open-source backdoor that allowed an attacker to browse the file system, upload and download files, execute commands, and remove itself from the system. The researchers believe that the threat actor used the backdoor to monitor the progress of the ransomware on the compromised system.
Upon execution, Hello XD attempts to disable shadow copies to prevent easy system recovery and then encrypts files, adding the .hello extension to file names.
The researchers said they observed two different samples of HelloXD that appear to be under active development. While the first sample was fairly rudimentary with minimal obfuscation, the second was far more obfuscated, and is executed in memory by a packer rather than a full-scale loader.
“While the obfuscation and execution may differ between the two, both samples contain very similar core functionality, due to the author copying the leaked Babuk/Babyk source code in order to develop the HelloXD ransomware. As a result, a lot of the function structure overlaps with Babuk, after getting past the obfuscation,” the researchers wrote.
MicroBackdoor is encrypted using the WinCrypt API and embedded within the ransomware payload.
“As the threat actor would normally have a foothold into the network prior to ransomware deployment, it raises the question of why this backdoor is part of the ransomware execution. One possibility is that it is used to monitor ransomed systems for blue team and incident response (IR) activity, though even in that case it is unusual to see offensive tools dropped at this point in the infection,” Unit 42 notes.
The team was able to trace MicroBackdoor to a Russian-speaking threat actor using the aliases X4KME, x4k, L4ckyguy, unKn0wn, unk0w, and_unkn0wn and link them to further malicious activities such as offering proof-of-concept (PoC) exploits, crypter services, custom Kali Linux distributions, and malware-hosting and distribution services on underground hacker forums.
“Unit 42 research encountered HelloXD, a ransomware family in its initial stages – but already intending to impact organizations. While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k. This threat actor is well known on various hacking forums, and seems to be of Russian origin. Unit 42 was able to uncover additional x4k activity being linked to malicious infrastructure, and additional malware besides the initial ransomware sample, going back to 2020,” the researchers said.