Hello XD ransomware new tactics: drops the backdoor while encrypting

Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.

First observed in November 2021, the particular family was based on the leaked source code of Babuk and engaged in a small number of double-extortion attacks where the threat actors stole corporate data before encrypting devices.

Hello{XD} Ransomware Installing Backdoor on Windows and Linux Systems

Windows and Linux systems are being targeted by a ransomware variant called HelloXD, with the infections also involving the deployment of a backdoor to facilitate persistent remote access to infected hosts. The malware is coded with a new kind of encryptor that has custom features as reported by the Palo Alto Networks Unit 42.

Hello XD ransomware virus operates extorting victims, but not using the Tor payment site the threat instructs victims to enter negotiations directly using the TOX chat service. These latest versions of the ransomware added an onion site link on the ransom note too. However, reports  state that the site is offline. The ransomware might still be developing the page or preparing for other attack campaigns

The implant in question, named MicroBackdoor, is an open-source malware that’s used for command-and-control (C2) communications, with its developer Dmytro Oleksiuk caling it a “really minimalistic thing with all of the basic features in less than 5,000 lines of code.”


Additional findings and links to Russian hackers


Unit 42 also links the HelloXD to Russian developer with online aliases x4k, L4ckyhuy, unKn0wn, and many more. The research team states that the ransomware is used to further malicious operations like proof-of-concept exploits, and custom Linux malware distributions. These findings were made after piecing the particular digital trail of this alleged Russian malware developer.

Researchers also state that this actor has done little to hide these malicious activities, so it might still operate in the same manner:

What we should expect

At this time, Hello XD is a dangerous early-stage ransomware project currently being used in the wild. Even though its infection volumes aren’t significant yet, its active and targeted development lays the ground for a more dangerous status.

Unit 42 traced its origins to a Russian-speaking threat actor using the alias X4KME, who uploaded tutorials on deploying Cobalt Strike Beacons and malicious infrastructure online.

Additionally, the same hacker has posted on forums to offer proof-of-concept (PoC) exploits, crypter services, custom Kali Linux distributions, and malware-hosting and distribution services.

All in all, the particular threat actor appears knowledgeable and in a position to move Hello XD forward, so analysts need to monitor its development closely.

Recommended For You

About the Author: Cryptus Team

CRYPTUS CYBER SECURITY is an Cyber Security Training and penetration testing Company in New Delhi, India. We have been delivering advance it security training and services with upgraded technology contents to IT Professionals. Our goal is to sustain performance level producing sterling results. We Stands Up to our commitments which are comiitted by Our Team.

Leave a Reply

Your email address will not be published.