Threat actor where purge mask

Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.

First observed in November 2021, the particular family was based on the leaked source code of Babuk and engaged in a small number of double-extortion attacks where the threat actors stole corporate data before encrypting devices.

According to a new report by Palo Alto Networks Unit 42, the malware’s author has created a new encryptor that features custom packing for detection avoidance and encryption algorithm changes.

This marks a significant departure from the Babuk code and highlights the author’s intention to develop a new ransomware strain with unique capabilities and features for increased attacks.

Hello XD ransomware operation

The Hello XD ransomware operation is not currently using a Tor payment site to extort victims but instead instructs victims to enter negotiations directly through a TOX chat service.

In the latest version, the malware operators have added an onion site link on the dropped ransom note, but Unit 42 says the site is offline, so it might be under construction.

Hello XD ransom notes, old left, new right
Hello XD ransom notes, old left, new right (Unit 42)

When executed, Hello XD attempts to disable shadow copies to prevent easy system recovery and then encrypts files, adding the .hello extension to file names.

Besides the ransomware payload, Unit 42 also observed Hello XD operators now using an open-source backdoor named MicroBackdoor to navigate the compromised system, exfiltrate files, execute commands, and wipe traces.

This MicroBackdoor executable is encrypted using WinCrypt API and embedded within the ransomware payload, so it’s dropped to the system immediately upon infection.

Decrypting and dropping Microbackdoor
Decrypting and dropping Microbackdoor (Unit 42)

Crypter and encryption

The custom packer deployed in the ransomware payload’s second version features two layers of obfuscation.

The author has derived the crypter by modifying UPX, an open-source packer that numerous malware authors have widely abused in the past.

UPX packing (right) and custom packing (left)
UPX packing (right) and custom packing (left) (Unit 42)

The embedded blobs decryption involves using a custom algorithm containing unconventional instructions like XLAT, while the API calls in the packer are weirdly not obfuscated.

The most interesting aspect of the second major version of Hello XD is switching the encryption algorithm from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna.

Babuk encryption (left) and HelloXD 2.0 encryption (right)
Babuk encryption (left) and Hello XD 2.0 encryption (right) (Unit 42)

Additionally, the file marker in the second version was changed from a coherent string to random bytes, making the cryptographic result more powerful.

What we should expect

At this time, Hello XD is a dangerous early-stage ransomware project currently being used in the wild. Even though its infection volumes aren’t significant yet, its active and targeted development lays the ground for a more dangerous status.

Unit 42 traced its origins to a Russian-speaking threat actor using the alias X4KME, who uploaded tutorials on deploying Cobalt Strike Beacons and malicious infrastructure online.

Samples of X4KME online presence
Samples of X4KME online presence (Unit 42)

Additionally, the same hacker has posted on forums to offer proof-of-concept (PoC) exploits, crypter services, custom Kali Linux distributions, and malware-hosting and distribution services.

All in all, the particular threat actor appears knowledgeable and in a position to move Hello XD forward, so analysts need to monitor its development closely.

Source: www.bleepingcomputer.com