Researchers have recently discovered a new upgrade added to a known ransomware. Malicious software, that was once used for encrypting its victims’ files and holding them for ransom, now also has a script that allows it to use an infected PC for mining cryptos.
Trend Micro’s researchers were the ones to discover that XiaoBa has been repurposed to carry a crypto miner payload. This ransomware first appeared last year and was used to taking PC files hostage. However, with the recent upgrade, this software now injects a Coinhive mining script in HTML and HTM files that the infected device is using.
How does Coinhive work?
The upgraded version of XiaoBa acts like a worm that can go from one PC to another as long as they are connected to the same local network. By doing so, it increases the hacker’s gain. The worst part is that the upgraded version of this ransomware is extremely destructive. It infects binary files of the device (.com, .pif, .exe, .scr) in order to deliver its payload, but it also completely destroys them while doing so.
Two versions of XiaoBa
According to research, XiaoBa currently has two versions, and they are both carriers of Coinhive and both will try to disable Windows User Account Control notifications as soon as they land on the device. Only one of them will delete ISO, Norton Ghost images, and block access to antivirus and forensic-related websites. Another thing they have in common is that both will inject the Coinhive script into the pages the users visit.
The first reports of XiaoBa came in 2017 by MalwareHunter Team. It would infect a PC and make itself look like a system file, then disable the computers’ firewalls, and block websites that are focusing on PC security. After that, it would modify the registry of the PC, and allow additional viruses to land on the system.
— MalwareHunterTeam (@malwrhunterteam) October 27, 2017
This is not a usual method of operation of a typical ransomware, which only encrypts files and forces the victim to pay money in order to get them back. We are looking at next-gen crypto-mining ransomware.