HelloXD Ransomware Variants Found Installing Backdoor on Windows and Linux Machines

Written by

Cybersecurity researchers Unit 42 spotted several variants of the HelloXD ransomware capable of installing a backdoor after infection on both Windows and Linux machines.

Writing in a blog post on the company’s website last week, Unit 42 researchers Daniel Bunce and Doel Santos said they first spotted HelloXD, a ransomware family performing double extortion attacks, in November 2021.

According to an analysis of the ransomware samples, the security experts concluded that HelloXD’s obfuscation and execution tactics contained very similar core functionality to the leaked Babuk/Babyk source code.

Bunce and Santos also observed that one of the samples deployed an open-source backdoor named MicroBackdoor that allowed attackers to browse the file system, upload and download files, execute commands and remove their footprint from the system. 

“We believe this was likely done to monitor the progress of the ransomware and maintain an additional foothold in compromised systems,” the Unit 42 post read.

The malware analysis also suggested HelloXD doesn’t have an active leak site, with malicious actors behind the malware preferring negotiations with victims through Tox chat and onion-based messenger platforms.

In terms of attribution, Bunce and Santos said they found an embedded IP address in the malware sample typically associated with threat actor and developer x4k, also known as L4ckyguy, unKn0wn, unk0w, _unkn0wn and x4kme.

“Additionally, we observed the initial email being linked to a GitHub account[...], as well as various forums including XSS, a known Russian-speaking hacking forum created to share knowledge about exploits, vulnerabilities, malware and network penetration.”

The Unit 42 researchers concluded their post by warning that while HelloXD is a ransomware family in its initial stages, it already intends to impact organizations.

“Ransomware is a lucrative operation if done correctly. Unit 42 has observed ransom demands and average payments going up in the latest Ransomware Threat Report,” Bunce and Santos wrote.

“Unit 42 believes that x4k, this threat actor, is now expanding into the ransomware business to capitalize on some of the gains other ransomware groups are making.”

What’s hot on Infosecurity Magazine?