Hello XD ransomware now drops a backdoor while encrypting

Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.

First observed in November 2021, the particular family was based on the leaked source code of Babuk and engaged in a small number of double-extortion attacks where the threat actors stole corporate data before encrypting devices.

According to a new report by Palo Alto Networks Unit 42, the malware's author has created a new encryptor that features custom packing for detection avoidance and encryption algorithm changes.

This marks a significant departure from the Babuk code and highlights the author's intention to develop a new ransomware strain with unique capabilities and features for increased attacks.

Hello XD ransomware operation

The Hello XD ransomware operation is not currently using a Tor payment site to extort victims but instead instructs victims to enter negotiations directly through a TOX chat service.

In the latest version, the malware operators have added an onion site link on the dropped ransom note, but Unit 42 says the site is offline, so it might be under construction.

When executed, Hello XD attempts to disable shadow copies to prevent easy system recovery and then encrypts files, adding the .hello extension to file names.

Besides the ransomware payload, Unit 42 also observed Hello XD operators now using an open-source backdoor named MicroBackdoor to navigate the compromised system, exfiltrate files, execute commands, and wipe traces.

This MicroBackdoor executable is encrypted using WinCrypt API and embedded within the ransomware payload, so it's dropped to the system immediately upon infection.

Crypter and encryption

The custom packer deployed in the ransomware payload's second version features two layers of obfuscation.

The author has derived the crypter by modifying UPX, an open-source packer that numerous malware authors have widely abused in the past.

The embedded blobs decryption involves using a custom algorithm containing unconventional instructions like XLAT, while the API calls in the packer are weirdly not obfuscated.

The most interesting aspect of the second major version of Hello XD is switching the encryption algorithm from modified HC-128 and Curve25519-Donna to Rabbit Cipher and Curve25519-Donna.

Additionally, the file marker in the second version was changed from a coherent string to random bytes, making the cryptographic result more powerful.

What we should expect

At this time, Hello XD is a dangerous early-stage ransomware project currently being used in the wild. Even though its infection volumes aren't significant yet, its active and targeted development lays the ground for a more dangerous status.

Unit 42 traced its origins to a Russian-speaking threat actor using the alias X4KME, who uploaded tutorials on deploying Cobalt Strike Beacons and malicious infrastructure online.

Additionally, the same hacker has posted on forums to offer proof-of-concept (PoC) exploits, crypter services, custom Kali Linux distributions, and malware-hosting and distribution services.

All in all, the particular threat actor appears knowledgeable and in a position to move Hello XD forward, so analysts need to monitor its development closely.