June 21, 2022

HelloXD Ransomware And MicroBackdoor

Industry: N/A | Level: Strategic | Source: Palo Alto Unit42

Palo Alto Unit42 has observed activity from HelloXD ransomware family, since November 2021. The ransomware group conducts double extortion attacks however, they do not use a data leak site. Instead, the group handles negotiations through TOX chat and onion-based messengers. From reviewing the HelloXD code, the ransomware shares coding similarities with leaked Babuk/Babyk source code. Uniquely the operators deploy an open-source backdoor named, MicroBackdoor to retain a foothold in the victim’s environment. The backdoor is capable of monitoring ransomware progress, discovering files, executing commands and if needed, the ability to delete itself. Unit42 has traced a Russian-speaking threat actor named, x4k (additional alias L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme) as the developer of MicroBackdoor. x4k is involved with many nefarious cybercrime activities including developing Cobalt Strike beacons, selling proof-of-concept exploits, providing crypter services, creating custom Kali Linux distros, and establishing malicious infrastructure.