Researchers have recently discovered a new upgrade added to a known ransomware. Malicious software, that was once used for encrypting its victims’ files and holding them for ransom, now also has a script that allows it to use an infected PC for mining cryptos.
Trend Micro’s researchers were the ones to discover that XiaoBa has been repurposed to carry a crypto miner payload. This ransomware first appeared last year and was used to taking PC files hostage. However, with the recent upgrade, this software now injects a Coinhive mining script in HTML and HTM files that the infected device is using.
How does Coinhive work?
Coinhive is a special component based in JavaScript, which gets injected into a webpage when the PC’s user visits those pages. It proceeds to mine cryptocurrencies through the browser while hiding in the background. This impacts the device’s speed and resources. After the user leaves the page infected by Coinhive, the mining process stops, and the PC regains its usual performance. However, if the Coinhive resides in the browser’s extensions on the infected page, the user cannot get away from it as long as the browser is open.
The upgraded version of XiaoBa acts like a worm that can go from one PC to another as long as they are connected to the same local network. By doing so, it increases the hacker’s gain. The worst part is that the upgraded version of this ransomware is extremely destructive. It infects binary files of the device (.com, .pif, .exe, .scr) in order to deliver its payload, but it also completely destroys them while doing so.
Two versions of XiaoBa
According to research, XiaoBa currently has two versions, and they are both carriers of Coinhive and both will try to disable Windows User Account Control notifications as soon as they land on the device. Only one of them will delete ISO, Norton Ghost images, and block access to antivirus and forensic-related websites. Another thing they have in common is that both will inject the Coinhive script into the pages the users visit.
The first reports of XiaoBa came in 2017 by MalwareHunter Team. It would infect a PC and make itself look like a system file, then disable the computers’ firewalls, and block websites that are focusing on PC security. After that, it would modify the registry of the PC, and allow additional viruses to land on the system.
XiaoBa ransomware: a Chinese junk…
Sample: https://t.co/kz7KXb0H7W
Extension: .XiaoBa1 to .XiaoBa34@BleepinComputer @demonslay335 pic.twitter.com/scGxgwBW1q— MalwareHunterTeam (@malwrhunterteam) October 27, 2017
This is not a usual method of operation of a typical ransomware, which only encrypts files and forces the victim to pay money in order to get them back. We are looking at next-gen crypto-mining ransomware.
