HelloXD Ransomware Installing Backdoor on Targeted Systems

The ransomware family is no exception to the norm in that the operators follow the tried-and-tested approach of double extortion to demand cryptocurrency payments by exfiltrating a victim's sensitive data in addition to encrypting it and threatening to publicize the information. The implant in question, named MicroBackdoor, is an open-source malware that's used for command-and-control (C2) communications, with its developer Dmytro Oleksiuk calling it a "really minimalistic thing with all of the basic features in less than 5,000 lines of code." Notably, different variants of the implant were adopted by the Belarusian threat actor dubbed Ghostwriter (aka UNC1151) in its cyber operations against Ukrainian state organizations in March 2022. MicroBackdoor's features allow an attacker to browse the file system, upload and download files, execute commands, and erase evidence of its presence from the compromise machines. It's suspected that the deployment of the backdoor is carried out to "monitor the progress of the ransomware." Unit 42 said it linked the likely Russian developer behind HelloXD - who goes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme - to further malicious activities such as selling proof-of-concept (PoC) exploits and custom Kali Linux distributions by piecing together the actor's digital trail. "x4k has a very solid online presence, which has enabled us to uncover much of his activity in these last two years," the researchers said. "This threat actor has done little to hide malicious activity, and is probably going to continue this behavior."