Key Takeaways
- HexaLocker was first found in mid-2024, with model 2 introducing important updates and enhanced functionalities.
- HexaLocker V2 features a persistence mechanism that modifies registry keys to make sure continued execution after the affected system reboots.
- The up to date model downloads Skuld Stealer, which extracts delicate data from the sufferer’s system earlier than encryption.
- Not like its predecessor, HexaLocker V2 exfiltrates sufferer recordsdata earlier than encrypting them, following the double extortion technique of information theft and file encryption.
- HexaLocker V2 makes use of a mix of superior encryption algorithms, together with AES-GCM for string encryption, Argon2 for key derivation, and ChaCha20 for file encryption.
- HexaLocker V2 replaces the TOXID communication technique with a singular hash, enabling victims to speak with the Risk Actors’ (TA’s) website.
Govt Abstract
On August ninth, the HexaLocker ransomware group introduced a brand new Home windows-based ransomware on their Telegram channel. The put up highlighted that the ransomware was developed within the Go programming language and claimed that their workforce included members from notable teams like LAPSUS$ and others. Following this announcement, researchers from Synacktiv analyzed this ransomware variant and revealed their findings shortly after.
On October twenty first, cybersecurity researcher PJ04857920 shared a put up on X, revealing that the admin behind HexaLocker had determined to close down the operation and put the ransomware’s supply code and net panel up on the market based mostly on data from the HexaLocker group’s Telegram channel.
Later, on December twelfth, they supplied one other replace on X, stating that the HexaLocker ransomware had been revived, with indicators of ongoing growth and exercise. The Telegram put up additionally talked about that the upgraded model of HexaLocker would characteristic enhanced encryption algorithms, stronger encryption passwords, and new persistence mechanisms.
Cyble Analysis and Intelligence Labs (CRIL) got here throughout a brand new model of the HexaLocker ransomware. Upon execution, it copies itself to the %appdata% listing, creates a run entry for persistence, encrypts recordsdata, and appends the “HexaLockerv2” extension to them.
Previous to encryption, the ransomware additionally steals the sufferer’s recordsdata and exfiltrates them to a distant server. Notably, on this new model, the ransomware downloads an open-source stealer named Skuld to gather delicate data from the sufferer’s machine earlier than encryption. The determine beneath exhibits the Hexalocker Ransomware Website used for Sufferer’s communication.
Technical Particulars
Persistence
Upon execution, the HexaLocker ransomware creates a self-copy named “myapp.exe” within the “%appdatapercentMyApp” listing and establishes persistence by including an AutoRun entry at “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” with the worth “MyAppAutostart” guaranteeing the ransomware binary executes upon system reboot.
Obfuscation
All string references, together with the Stealer URL, file paths, folder names, atmosphere variable names, WMIC instructions, and ransom notes, are generated throughout runtime via a number of layers of AES-GCM decryption. This method successfully obfuscates the strings, making them tougher to detect by safety options. In distinction, all strings within the earlier model have been statically seen.
Stealer
Previous to initiating the encryption course of, the ransomware downloads a stealer binary, a Go-compiled program, from the URL hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe and executes it from the present listing. This stealer performance was absent within the earlier model of HexaLocker.
The downloaded stealer, recognized as Skuld, is an open-source software designed to focus on Home windows methods and steal consumer knowledge from numerous functions akin to Discord, browsers, crypto wallets, and extra.
On this case, the TA has utilized solely the browser module from the various obtainable within the open-source Skuld Stealer. The picture beneath exhibits perform names corresponding solely to the browser module from the Skuld undertaking.
The stealer collects numerous delicate knowledge saved by Chromium and Gecko-based browsers, akin to cookies, saved bank card data, downloads, searching historical past, and login credentials. Skuld Stealer targets the next net browsers on this marketing campaign.
Gecko-based browsers
| Firefox | SeaMonkey |
| Waterfox | Ok-Meleon |
| Thunderbird | IceDragon |
| Cyberfox | BlackHaw |
| Pale Moon | mercury |
Chromium browsers
| Chrome SxS | ChromePlus | 7Star |
| Chrome | Chedot | Vivaldi |
| Kometa | Parts Browser | Epic Privateness Browser |
| Uran | Fenrir Inc | Citrio |
| Coowon | liebao | QIP Surf |
| Orbitum | Dragon | 360Browser |
| Maxthon3 | Ok-Melon | CocCoc |
| BraveSoftware | Amigo | Torch |
| Sputnik | Edge | DCBrowser |
| YandexBrowser | UR Browser | Slimjet |
| Opera |
The stolen knowledge is compressed right into a ZIP archive named ‘BrowsersData-*.zip’ and saved within the AppDataLocalTemp listing earlier than being exfiltrated to the distant server “hxxps://hexalocker[.]xyz/add.php”. The picture beneath exhibits the console output of the stealer upon finishing every stage.
Exfiltration
Upon executing the stealer payload, the ransomware exfiltrates the victims’ recordsdata by scanning all folders ranging from “C:” to seek out recordsdata with extensions matching these listed within the desk beneath. The recognized recordsdata are compiled right into a single ZIP archive named “data_*.zip”, saved within the “%localappdatapercentDataHexaLocker” listing, and subsequently transmitted to the attacker’s distant server by way of “hxxps[:]//hexalocker.xyz/obtain.php”.
| Class | File Sorts |
| Paperwork | .pdf, .doc, .docx, .rtf, .txt, .wps, .xls, .xlsx, .csv, .ppt, .pot, .xps, .xsd, .xml |
| Photos | .jpg, .jpeg, .png, .bmp, .gif, .tif, .tiff, .ico, .jpe, .dib, .uncooked, .psd, .exr, .bay |
| Audio | .mp3, .wav, .wma, .m4a, .m4p, .flac, .aac, .amr, .ogg, .adp |
| Video | .mp4, .mkv, .avi, .mov, .wmv, .flv, .3gp, .m4v, .amv, .swf |
| Compressed Recordsdata | .zip, .rar, .7z, .tar, .gz, .bz2, .cab, .iso, .lzh, .ace, .arj |
| Code & Scripts | .php, .asp, .htm, .html, .js, .jsp, .css, .py, .java, .c, .cpp, .asm, .vbs, .cmd, .bat |
| Executable Recordsdata | .exe, .msi, .dll, .apk, .lnk |
| Database Recordsdata | .db, .dbf, .mdb, .sql, .odc, .odm, .pst, .mdf, .myi, .tab |
| 3D/Design Recordsdata | .3ds, .dae, .stl, .max, .dwg, .dxf, .obj, .r3d, .kmz, .choose |
| Net/Markup Recordsdata | .html, .htm, .xml, .xsl, .rss, .cfm, .xsf |
| System/Backup Recordsdata | .bak, .cer, .crt, .pfx, .p12, .p7b, .log, .cfg, .ini, .lnk |
| Others | .sum, .sln, .dif, .dmg, .p7c, .choose, .sie, .key, .vob |
Encryption
The ransomware generates a key and the salt wanted for encryption and sends them to a distant server at “hxxps[:]//hexalocker.xyz/index[.]php,” together with host-specific particulars such because the IP tackle, pc identify, and ID. This data is used to determine the victims and facilitate the restoration of the encrypted recordsdata.
As soon as the gathered data is transmitted to the attacker, HexaLocker proceeds to scan the “C:Customers<username>” listing on the sufferer’s machine. It searches for recordsdata that match a selected set of extensions, as listed within the desk beneath.
| Class | Extensions |
| Textual content Paperwork | .txt, .doc, .odt, .rtf, .wps, .dot |
| Databases | .sql, .mdb, .dbf, .pdb, .mdf, .mdw, .myi |
| Spreadsheets | .xls, .ods, .csv, .xla, .xlw, .xlm, .xlt, .slk |
| Displays | .ppt, .odp, .pps, .pot |
| Programming Recordsdata | .cpp, .css, .php, .asp, .ini, .inc, .obj, .bat, .cmd, .vbs, .jsp, .asm, .cfm |
| Archives | .zip, .rar, .tar, .iso, .bz2, .cab, .lzh, .ace, .arj |
| Photos | .jpg, .png, .bmp, .gif, .tif, .ico, .psd, .uncooked, .svg, .jpe, .dib, .iff, .dcm, .bay, .dcr, .nef, .orf, .r3d |
| Audio | .mp3, .mka, .m4a, .wav, .wma, .flv, .pls, .adp |
| Video | .mp4, .mkv, .avi, .mov, .wmv, .3gp, .m4v, .amv, .m4p, .vob, .mpv, .3g2, .f4v, .m1v |
| Net Recordsdata | .htm, .html, .xml, .css, .js, .jsp, .rss |
| Executables | .exe, .jar, .msi, .dll |
| Scripts | .php, .asp, .vbs, .cmd, .bat |
| Backup/Logs | .bak, .log |
| 3D/CAD | .3ds, .dae, .dwg, .max, .geo |
| Compressed | .zip, .rar, .tar, .bz2, .gz |
| Configuration | .ini, .cfg, .xml |
| Emails | .msg, .oft, .pst, .dbx |
| Fonts | .ttf, .otf, .woff |
| Certificates | .crt, .cer, .pfx, .p12, .p7b, .p7c |
| Others | .lnk, .dat, .sum, .choose, .dic, .tbi, .xps, .key, .tab, .stm, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .choose |
The ransomware reads the content material of the unique file and makes use of the ChaCha20 algorithm to encrypt the information. As soon as the encryption is full, it creates a brand new file with the “.HexaLockerV2” extension and writes the encrypted content material to this newly created file. The ransomware then proceeds to delete the unique file utilizing the os.Take away perform, leaving solely the encrypted file behind. The determine beneath exhibits the chacha20 encryption algorithm utilized by the ransomware binary.
The determine beneath illustrates the recordsdata encrypted by the HexaLocker Ransomware, which have the “.HexaLockerV2” extension.
Lastly, the ransomware shows a ransom observe to the sufferer, instructing them to contact the TA via their communication channels, akin to Sign, Telegram, and Net Chat, as proven beneath.
The ransom observe incorporates a singular private hash, which the sufferer makes use of to speak with the TA via a chat window supplied by the attacker, as proven beneath.
Conclusion
The brand new model of HexaLocker ransomware represents a major improve, incorporating enhanced encryption logic and a personalized stealer element. Developed in Go, this ransomware advantages from Go’s effectivity, making it more difficult to detect by endpoints.
Earlier than initiating the encryption course of, the ransomware employs the Skuld stealer to gather delicate data from the sufferer’s machine. This strategic mixture of the Skuld stealer and the ransomware highlights the continual evolution and class of the HexaLocker group, posing an ongoing risk to focused methods.
The Yara rule to detect HexaLocker Model 2 is offered for obtain from the linked Github repository.
Our Suggestions
Now we have listed some important cybersecurity finest practices that create the primary line of management in opposition to attackers. We advocate that our readers comply with the perfect practices given beneath:
Security Measures to Forestall Ransomware Assaults
- Frequently again up necessary recordsdata to offline or cloud storage, guaranteeing they’re saved securely and never linked to the primary community.
- Allow computerized updates in your working system, functions, and safety software program to make sure you obtain the most recent patches and safety fixes.
- Implement endpoint safety with respected anti-virus and anti-malware software program to detect and block potential ransomware threats.
- Educate staff or customers about phishing assaults and suspicious e-mail hyperlinks, that are frequent ransomware supply strategies.
- Limit consumer privileges and keep away from working pointless providers to attenuate the assault floor, guaranteeing customers solely have entry to the sources they want.
MITRE ATT&CK® Methods
| Tactic | Approach ID | Process |
| Execution (TA0002) | Person Execution (T1204.002) |
Person executes the ransomware file. |
| Persistence (TA0003) | Registry Run Keys / Startup Folder (T1547.001) | Provides a Run key entry for execution on reboot. |
| Protection Evasion (TA0005) | Deobfuscate/Decode Recordsdata or Data (T1140) | Ransomware Decrypts strings utilizing the AES algorithm |
| Discovery (TA0007) | File and Listing Discovery (T1083) | Ransomware enumerates folders for file encryption and file deletion. |
| Impression (TA0040) | T1486 (Information Encrypted for Impression) | Ransomware encrypts recordsdata for extortion. |
| Credential Entry (TA0006) | Credentials from Password Shops: Credentials from Net Browsers (T1555.003) | Retrieves passwords from Login Information |
| Credential Entry (TA0006) | Steal Net Session Cookie (T1539) | Steals browser cookies |
| Assortment (TA0009) | Archive by way of Utility (T1560.001) | Zip utility is used to compress the information earlier than exfiltration |
| Exfiltration (TA0010) | Exfiltration Over C2 Channel (T1041) | Exfiltration Over C2 Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Sort | Description |
| 8b347bb90c9135c185040ef5fdb87eb5cca821060f716755471a637c350988d8 | SHA-256 | Stealer |
| 0347aa0b42253ed46fdb4b95e7ffafa40ba5e249dfb5c8c09119f327a1b4795a | SHA-256 | HexaLockerV2 |
| 28c1ec286b178fe06448b25790ae4a0f60ea1647a4bb53fb2ee7de506333b960 | SHA-256 | HexaLockerV2 |
| d0d8df16331b16f9437c0b488d5a89a4c2f09a84dec4da4bc13eab15aded2e05 | SHA-256 | HexaLockerV2 |
| hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe | URL | Stealer obtain url |
| hxxps[:]//hexalocker[.]xyz/add[.]php | URL | NA |
| hxxps[:]//hexalocker[.]xyz/obtain[.]php | URL | NA |
References
https://www.trellix.com/en-in/blogs/analysis/skuld-the-infostealer-that-speaks-golang
https://www.synacktiv.com/publications/lapsus-is-dead-long-live-hexalocker.html
