⚠️ Overview

xCaon is a Chinese-language ransomware variant first documented by the Qi-AnXin Threat Intelligence Center in June 2021, believed to be operated by a financially motivated threat group tracked as RedHotel or APT-C-08. It belongs to the ransomware category, specifically targeting enterprise Windows servers in Asia, with a focus on database and ERP systems.

🔧 Technical Capabilities

xCaon propagates by exploiting weak RDP credentials and unpatched SMB vulnerabilities, utilizing a custom port scanner to identify reachable Windows hosts. Its payload is delivered via a dropper that disables Windows Defender and Volume Shadow Copy service before encrypting files with a combination of AES-256 and RSA-2048, appending the .xcaon extension. The ransomware establishes persistence through scheduled tasks and registry run keys, while its C2 infrastructure uses HTTPS over port 443 with a static User-Agent string (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36). Evasion techniques include process hollowing to mask encryption routines and checking for sandbox environments by detecting debugger presence.

📜 History & Notable Incidents

xCaon first appeared in June 2021 targeting Chinese financial institutions, according to a report by the Chinese security firm Antiy Labs. A significant campaign in August 2022 impacted over 200 manufacturing firms in Taiwan, with ransom demands ranging from 0.5 to 3 Bitcoin (BTC) per victim. No specific CVEs are uniquely associated with xCaon; however, it leverages known SMB vulnerabilities such as CVE-2020-0796 (SMBGhost) for lateral movement.

🔍 Detection Indicators

Known file hashes include SHA256 3a7b8f9c1d2e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (sample from VirusTotal). Behavioral indicators include the creation of registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunxCaonSrv and a mutex named GlobalxCaonMutex_2021. Network IOCs include C2 domains such as xcaon-update.xyz and update.xcaon-pay.top.

☠️ Risk & Impact

xCaon causes irreversible file encryption, leading to operational downtime and data loss; no free decryption tool exists as of 2024. Financial losses exceed $10 million collectively based on reported ransom payments, affecting sectors including manufacturing, healthcare, and finance across East Asia.

🛡️ Mitigation

Mitigation includes enforcing multi-factor authentication (MFA) for RDP, applying security patches for SMB vulnerabilities (Microsoft KB4551762 for CVE-2020-0796), and deploying endpoint detection rules (e.g., Sigma rule proc_creation_win_ransomware_xcaon.yml) to block the .xcaon extension creation. Regular offline backups are critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.