The HelloXD ransomware targeting Windows and Linux systems with the infections also involving the deployment of a backdoor to facilitate persistent remote access to infected hosts.
The operators employed the open-source backdoor Micro Backdoor to maintain persistence on infected hosts. It allows the attacker to browse the file system, upload and download files, execute commands, and remove itself from the infected system.
The analysis of the Micro Backdoor sample revealed an embedded IP address in the configuration, the IP belongs to a threat actor that is likely the developer: x4k (aka L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme).
The researchers discovered that the operators used two main packers for HelloXD ransomware binaries, a modified version of UPX, and a second packer consisting of two layers, with the second being the same custom UPX packer.
Researchers have observed two different samples of the HelloXD ransomware publicly available, a circumstance that suggests the malware is still under development.
- The first sample is quite rudimentary, with minimal obfuscation and typically paired with an obfuscated loader responsible for decrypting it using the WinCrypt API before injecting it into memory.
- The second sample analyzed by the researchers is more obfuscated and is executed in memory by a packer instead of a loader.
Unit 42 research encountered HelloXD, a ransomware family in its initial stages – but already intending to impact organizations. While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k. This threat actor is well known on various hacking forums and seems to be of Russian origin.
Threat Analysis – Report Statement
Unit 42 was able to uncover additional x4k activity being linked to malicious infrastructure, and additional malware besides the initial ransomware sample, going back to 2020.
Indicators of Compromise
HelloXD Ransomware samples
- 435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589
- ebd310cb5f63b364c4ce3ca24db5d654132b87728babae4dc3fb675266148fe9
- 65ccbd63fbe96ea8830396c575926af476c06352bb88f9c22f90de7bb85366a3
- 903c04976fa6e6721c596354f383a4d4272c6730b29eee00b0ec599265963e74
- 7247f33113710e5d9bd036f4c7ac2d847b0bf2ac2769cd8246a10f09d0a41bab
- 4e9d4afc901fa1766e48327f3c9642c893831af310bc18ccf876d44ea4efbf1d
- 709b7e8edb6cc65189739921078b54f0646d38358f9a8993c343b97f3493a4d9
Malware linked to x4k infrastructure
- 0e1aa5bb7cdccacfa8cbfe1aa71137b361bea04252fff52a9274b32d0e23e3aa
- 1fafe53644e1bb8fbc9d617dd52cd7d0782381a9392bf7bcab4db77edc20b58b
- 3477b704f6dceb414dad49bf8d950ef55205ffc50d2945b7f65fb2d5f47e4894
- 3eb1a41c86b3846d33515536c760e98f5cf0a741c682227065cbafea9d350806
- 4245990f42509474bbc912a02a1e5216c4eb87ea200801e1028291b74e45e43b
- 4de1279596cf5e0b2601f8b719b5240cb00b70c0d6aa0c11e2f32bc3ded020aa
- 4ea43678c3f84a66ce93cff50b11aabbe28c99c058e7043f275fea3456f55b88
- 5ae0d9e7ae61f3afb989aaf8e36eda1816ec44ceae666aea87a9fdc6fed35594
- 667b8abb731656c83f2f53815be68cce5d1ace3cb4ed242c9fecd4a66ac2f816
- 78ae3726d5b0815ad2e5a775ecf1a6cd36e1eeeee133b0766158a6b107ef7c34
- 7da83a27e4d788ca33b8b05d365fdf803cb68e0df4d69942ba9b7bde54619322
- 8a02f01cc3ac71b2c440148fd51b44e260a953e4fc1ee1c3fe787395b8c712ab
- 963cacd7eeebfb09950668bf1c6adf5452b992fc09119835cd256c5d3cf17f91
- a57b1cfd3e801305856cdb75839de05f03439e264ccdbd1497685878a2605b5a
- bd111240c24a6a188f2664eb15195630b13aa6d9483fc8cfed339dddf803fd4e
- d8026801e1b78d9bdcb4954c194748d0fdc631594899b29a2746ae425b8bfc79
- d8db562070b06d835721413a98f757b88d59277bf638467fda2ee254afc692a0
- d97d666239cc973a38dc788bf017f5d8ae19257561888b61ecff8e086c4e3ea0
- 19d7e899777fbe432b2c90b992604599706b4109c3ceaa7946e8548f4c190a19
- 1dbf8ae62cc90c837ba12ceee08a1d989732a95bdcef5ca18151ef698ed98a03
- 22b32bb7c791842a6aa604d08208b13db07ccd1fe81f47ea8369537addb26c7b
- 26019b86686c1038326f075663d79803e4412bf9952eae65d7b9278be74ac55c
- 26cccc7e9155bd746e3bb963d40d6edfc001e6d936faf9392202e3788996105a
- 43fa55c88453db0de0c22f3eb0b11d1db9286f3ee423e82704fdce506d3af516
- 4564ca0c436fde9e76f5fa65cbcf483adf1fbfa3d7369b7bb67d2c95457f6bc5
- 585a22e822ade633cee349fd0a9e6a7d083de250fb56189d5a29d3fc5468680c
- 592b1e55ceef3b8a1ecb28721ebf2e8edd109b9b492cf3c0c0d30831c7432e00
- 611f3b0ed65dc98a0d7f5c57512212c6ab0a5de5d6bbf7131d3b7ebf360773c6
- 6b437208dfb4a7906635e16a5cbb8a1719dc49c51e73b7783202ab018181b616
- 6e8ececfdc74770885f9dc63b4b2316e8c4a011fd9e382c1ba7c4f09f256925d
- 99f97a47d8d60b8fa65b4ddaf5f43e4352765a91ab053ceb8a3162084df7d099
- 9e2524b2eaf5248eed6b2d20ae5144fb3bb543647cf612e5ca52135d16389f1a
- c15111a5f33b3c51a26f814b64c891791ff21104ee75a4773fef86dfc7a8e7ca
- cd9908f50c9dd97a2ce22ee57ba3e014e204369e5b75b88cefb270dc44a5ca50
- ddc96ac931762065fc085be8138c38f2b6b52095a42b34bc415c9572de17386a
- e9b832fa02235b95a65ad716342d01ae87fcdb686b448e8462d6e86c1f4b3156
- f055577220c7dc4be46510b9fed4ecfa78920025d1b2ac5853b5bf7ea136cf37
- f7ae6b5ed444abfceda7217b9158895ed28cfdd946bf3e5c729570a5c29d5d82
- b843d7498506ddc272e183bbe90cf73cc4779b37341108e002923aa938ca9169
- 77dec8fc40ff9332eb6d40ded23d606c88d9fa3785a820ea7b1ef0d12a5c4447
- f52fb7ba5061ee4144439ff652c0b4f3cf941fe37fbd66e9d7672dd213fbcdb2
- beee37fb9cf3e02121b2169399948c1b0830a626d4ed27a617813fa67dd91d58
- b4c11c97d23ea830bd13ad4a05a87be5d8cc55ebdf1e1b458fd68bea71d80b54
- f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c
- c619edb3fa8636c50b59a42d0bdc4c71cbd46a0586b683773e9a5e509f688176
- 50a479f16713d03b95103e0a95a3d575b7263bd16c334258eefa3ae8f46e3d1d
- 83b5c6d73f3fc893dbd7effa7c50dc9b2455ec053aa9c51d70e13305ecf21fa4
- 02894fa01c9b82dcfd93e35f49a0d5408f7f4f8a25f33ad17426bb00afa71f63
- 98ba86c1273b5e8d68ce90ac1745d16335c5e04ec76e8c58448ae6c91136fc4d
- 5fa5b5dddfe588791b59c945beba1f57a74bd58b53a09d38ac8a8679a0541f16
x4k Infrastructure
- 164[.]68[.]114[.]29
- 167[.]86[.]87[.]27
- 63[.]250[.]53[.]180
- 45[.]15[.]19[.]130
- 46[.]39[.]229[.]17
- http://www.zxlab.iol4cky[.]men
- btc-trazer[.]xyz
- sandbox[.]x4k[.]me
- malware[.]x4k[.]me
- f[.]x4k[.]me
- 0[.]x4k[.]me
- pwn[.]x4k[.]me
- docker[.]x4k[.]me
- apk[.]x4k[.]me
- x4k[.]me
- powershell[.]services
- vmi378732[.]contaboserver[.]net
- x4k[.]in
- L4cky[.]men
- m[.]x4k[.]me
- mx2[.]l4cky[.]com
- mailhost[.]l4cky[.]com
- www1[.]l4cky[.]com
- authsmtp[.]l4cky[.]com
- ns[.]l4cky[.]com
- mailer[.]l4cky[.]com
- imap2[.]l4cky[.]com
- ns2[.]l4cky[.]com
- server[.]l4cky[.]com
- auth[.]l4cky[.]com
- remote[.]l4cky[.]com
- mx10[.]l4cky[.]com
- ms1[.]l4cky[.]com
- mx5[.]l4cky[.]com
- relay2[.]l4cky[.]com
- ns1[.]l4cky[.]com
- email[.]l4cky[.]com
- imap[.]l4cky[.]com
- mail[.]x4k[.]me
- repo[.]x4k[.]me
- bw[.]x4k[.]me
- collabora[.]x4k[.]me
- cloud[.]x4k[.]me
- yacht[.]x4k[.]me
- book[.]x4k[.]me
- teleport[.]x4k[.]me
- subspace[.]x4k[.]me
- windows[.]x4k[.]me
- sf[.]x4k[.]me
- dc-b00e12923fb6.l4cky[.]men
- box[.]l4cky[.]men
- mail[.]l4cky[.]men
- www[.]l4cky[.]men
- mta-sts[.]l4cky[.]men
- ldap[.]l4cky[.]men
- cloud[.]l4cky[.]men
- office[.]l4cky[.]men
- rexdooley[.]ml
- relay2[.]kuimvd[.]ru
- ns2[.]webmiting[.]ru
- https://фсб[.]com
