[MART] - Daily Diary #530 - Meet HelloXD Ransomware

CTAS-MAT ctas-mat at appgate.com
Mon Jun 13 20:26:35 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

06/13/2022 - Diary entry #530:

Recently, a new ransomware strain was disclosed. Active since at least November 2021, HelloXD is a group that operates using the double-extortion model and it targets both Linux and Windows-based systems. After the attack, the threat actors negotiate directly with their victims using peer-to-peer and end-to-end encryption instant message software like qTOX - commonly used among criminals on the dark web.

HelloXD’s code suggests that it is a modified version of Babuk’s leaked source code (covered in the Daily Diary #342 in 2021). Additionally, one of its samples was observed deploying an open-source Backdoor known as MicroBackdoor to establish a foothold into the compromised systems.

When executed, HelloXD deletes shadow copies to prevent recovering the encrypted files. Then, it deletes itself and creates a mutex containing a specific text that can be used as IOC: “With best wishes and good intentions...“. Mutex is a locking mechanism to serialize access to a resource on the system and is used by this malware to avoid reinfecting the host. HelloXD disclosed samples were packed using a modified version of UPX, a very common packer found in both malware and trusted samples.

To encrypt data, similar to other Ransomware, HelloXD uses a combination of one asymmetric algorithm (with the public key sent along with the malware) and a symmetric algorithm (with the key generated in runtime). But instead of using the common RSA+AES combination, HelloXD uses Elliptic-curve cryptography (ECC) for the asymmetric encryption, and HC-128 or Rabbit symmetric ciphers. After encrypting all files, it appends the files with the extension “.hello”. Then, it drops a ransom note named “Hello.txt” with instructions to download qTOX and contact the actors.

Reusing leaked Ransomware code is usually done by unskilled threat actors that don’t have the resources (or knowledge) to build their own, but that doesn’t seem to be the case for HelloXD. The threat actors behind HelloXD seem to have real development skills - modifying encryption algorithms and adding their flavor to it. The ransomware operation itself seems to be in the early stages of development, with no wall of shame disclosed so far.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220613/2322c98c/attachment.htm>

More information about the MART mailing list