With new obfuscation techniques and attack capabilities, Hello XD ransomware (opens in a new tab) is now more dangerous than ever, Unit 42, the cybersecurity arm of Palo Alto Networks, has discovered.
The group discovered that Hello XD now offers a new encryptor with a custom package, which helps the malware (opens in a new tab) stay hidden. Also, it comes with new changes in the encryption algorithm. Instead of modified HC-128 and Curve25519-Donna, this newly discovered version comes with Rabbit Cipher and Curve25519-Donna. Also, the file marker no longer carries a consistent string, but instead carries random bytes, further strengthening the cryptography.
Additionally, the stump contains a link to an onion site, but according to the researchers, the site is currently offline, possibly awaiting construction.
Implement MicroBackdoor
Typically, ransomware operators do two things in their attack: they extract all sensitive data to a location they can control, and they encrypt everything they find on the target network. This way, if the victim has a backup solution, they can still threaten to leak sensitive data online or sell it to a third party.
Hello XD goes one step further, it was found, because in addition to ransomware, the threat actor also implements MicroBackdoor, an open source backdoor that enables remote code execution, file exfiltration, and system changes.
The malware executable is encrypted with the WinCrypt API and embedded in the ransomware payload, it was said. He also does not have a specific amount of money in mind, which he seeks to earn in exchange for the decryption key. Instead, it tells victims to open a TOX chat service and start a negotiation process.
Hello XD was first spotted late last year, when researchers described it as a derivative of the then-popular Babuk ransomware. This newly discovered construct, however, is a significant advance over Babuk, suggesting that the threat actors behind it plan to develop it further.
To protect themselves from cyber attacks, businesses are advised to educate their employees on the dangers of phishing, keep their software up to date, and implement a powerful antivirus and firewall solution (opens in a new tab).
Via: BleepingComputer (Opens in a new tab)