![]() The researchers were able to see a hardcoded IP address that was used as the command-and-control (C2) to accelerate their hunt for the probable bad actor behind HelloXD. ![]() "One possibility is that it is used to monitor ransomed systems for blue team and incident response (IR) activity, though even in that case it is unusual to see offensive tools dropped at this point in the infection." "As the threat actor would normally have a foothold into the network prior to ransomware deployment, it raises the question of why this backdoor is part of the ransomware execution," they wrote. The fact that the backdoor is delivered with the ransomware also is unusual. The malware also can remove itself from the system. The malware enables an attack to browse through the compromised file system, upload and download files and remote code execution (RCE). ![]() The most significant change between the two version was the introduction of the additional payload within version 2 that is a variant of the open-source MicroBackdoor and is encrypted with the WinCrypt API. Healthcare organizations face rising ransomware attacks – and are paying up.Costa Rican government held up by ransomware … again.Emotet malware gang re-emerges with Chrome-based credit card heistware.What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm."Both versions have been compiled with the same compiler (believed to be GCC 3.x and above based on the mangling of export names), resulting in very similar exports between not only the ransomware variants, but also other malware that we have linked to the potential author," the researchers wrote. In addition, the developer changed the file marker, from a coherent string to random bytes. In the most recent version – dubbed by Unit 42 as HelloXD version 2 – they changed the encryption algorithm, exchanging the modified HC-128 with the high-speed Rabbit symmetric cipher, also along with Curve25519-Donna. The first version uses Curve25519-Donna and a modified HC-128 algorithm to encrypt data in the files and is the least modified of the two versions from the original Babuk code. Unit 42 researchers wrote that they have seen two publicly available versions of HelloXD, an indication that the code is still under development. Other ransomware groups, including those using LockBit 2.0, also use Tox Chat to communicate, they noted.Ī key change to the latest version of Hello XD is the change in encryption algorithm.
0 Comments
Leave a Reply. |