Focus Mode
Threat Research

HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption

Cyble
HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption
HexaLocker V2 is a newly updated ransomware variant that incorporates advanced functionalities such as a persistence mechanism, a data exfiltration process using Skuld Stealer, and enhanced encryption methods. The ransomware targets Windows systems, employing a double extortion tactic by stealing and encrypting files. Affected: HexaLocker, Skuld Stealer

Keypoints :

  • HexaLocker was first discovered in mid-2024, with version 2 introducing significant updates.
  • HexaLocker V2 modifies registry keys for persistence after system reboots.
  • The updated version downloads Skuld Stealer to extract sensitive information before encryption.
  • HexaLocker V2 employs a double extortion method, exfiltrating files before encryption.
  • It uses advanced encryption algorithms including AES-GCM, Argon2, and ChaCha20.
  • The communication method has shifted from TOXID to a unique hash for victim interaction.
  • The ransomware was developed in Go, making it efficient and harder to detect.
  • Cybersecurity researchers have noted ongoing development and activity of HexaLocker.

MITRE Techniques :

  • User Execution (T1204.002) – User executes the ransomware file.
  • Registry Run Keys / Startup Folder (T1547.001) – Adds a Run key entry for execution on reboot.
  • Deobfuscate/Decode Files or Information (T1140) – Ransomware decrypts strings using the AES algorithm.
  • File and Directory Discovery (T1083) – Ransomware enumerates folders for file encryption and deletion.
  • Data Encrypted for Impact (T1486) – Ransomware encrypts files for extortion.
  • Credentials from Password Stores: Credentials from Web Browsers (T1555.003) – Retrieves passwords from login data.
  • Steal Web Session Cookie (T1539) – Steals browser cookies.
  • Archive via Utility (T1560.001) – Zip utility is used to compress data before exfiltration.
  • Exfiltration Over C2 Channel (T1041) – Exfiltration occurs over a command and control channel.

Indicator of Compromise :

  • [file hash] 8b347bb90c9135c185040ef5fdb87eb5cca821060f716755471a637c350988d8 (SHA-256 Stealer)
  • [file hash] 0347aa0b42253ed46fdb4b95e7ffafa40ba5e249dfb5c8c09119f327a1b4795a (SHA-256 HexaLockerV2)
  • [file hash] 28c1ec286b178fe06448b25790ae4a0f60ea1647a4bb53fb2ee7de506333b960 (SHA-256 HexaLockerV2)
  • [file hash] d0d8df16331b16f9437c0b488d5a89a4c2f09a84dec4da4bc13eab15aded2e05 (SHA-256 HexaLockerV2)
  • [url] hxxps[:]//hexalocker.xyz/SGDYSRE67T43TVD6E5RD[.]exe (Stealer download URL)
  • Check the article for all found IoCs.

Full Research: https://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/

Tags: PASSWORD, CRYPTO, TOOL, BROWSER, VIRUS, IMPACT, CREDENTIAL, BACKUP