The file description included the entry VlahmAV, a play on words on ClamAV, and the developer named the ransomware HelloXD and used another potential alias, uKnow, as the developer of HelloXD in the copyright section. Additionally, some of the observed samples include properties information that can be observed in Figure 1. We also have observed additional samples with different versions of the logo, which led us to believe the ransomware developer may like using the ClamAV branding for their ransomware. ClamAV is an open-source antivirus engine used to detect malware. This ransomware family uses a modified ClamAV logo in their executables. HelloXD is a ransomware family first observed in the wild on Nov. Related Unit 42 TopicsĪdditional Resources HelloXD Malware Overview Palo Alto Networks detects and prevents HelloXD and adjacent x4k activity with the following products and services: Cortex XDR and Next-Generation Firewalls (including cloud-delivered security subscriptions such as WildFire).ĭue to the surge of this malicious activity, we’ve created this threat assessment for overall awareness. Deployment of malicious infrastructure.Selling proof-of-concept (PoC) exploits.Unit 42 has observed x4k in various hacking and non-hacking forums, which has linked the threat actor to additional malicious activity such as: We believe this was likely done to monitor the progress of the ransomware and maintain an additional foothold in compromised systems.ĭuring the analysis of the MicroBackdoor sample, Unit 42 observed the configuration and found an embedded IP address, belonging to a threat actor we believe is potentially the developer: x4k, also known as L4ckyguy, unKn0wn, unk0w, _unkn0wn and x4kme. It was also observed that one of the samples deployed MicroBackdoor, an open-source backdoor allowing an attacker to browse the file system, upload and download files, execute commands, and remove itself from the system. Unit 42 performed an in-depth analysis of the ransomware samples, the obfuscation and execution from this ransomware family, which contains very similar core functionality to the leaked Babuk/Babyk source code. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances. During our research we observed multiple variants impacting Windows and Linux systems. HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021.
0 Comments
Leave a Reply. |