XiaoBa ransomware shifts into becoming a cryptominer

by Gabriel E. Hall - - 2018-04-18

Coinminers are taking over ransomware viruses

XIAOBA crypto miner

Since the emergence of deadly cyber attacks, such as WannaCry^[1] and NotPetya, it seems that cybercrooks have shifted to different money generators – coinminers. According to the Comodo Cybersecurity Threat Research Labs, cryptominers were in a top of detected malware incidents in the first quarter of 2018.^[2] The new thing reported by cyber security experts is that these miners are starting to rely on ransomware viruses. The latest example of such trend is XiaoBa virus.^[3]

XiaoBa was first detected as a Chinese ransomware virus in October 2017. Originally, very few people knew about the malware as it was not used in major distribution campaigns. Secondly, ransomware showed up a couple of months after its first attack. This time, it was capable of deleting Shadow Volume Copies, so it is believed that the virus caused more damage to its victims.

The latest version showed up in February 2018 and included a ransom note written in English.^[4] From this time, hackers working behind this ransomware have been targeting the audience outside China.

However, the most surprising discovery was made by security experts from Trend Micro. Recently, they discovered^[5] two variations of XiaoBaMiner that are clearly based on the previously-reported ransomware. Unfortunately, it seems that these two viruses are even more destructive than their predecessor as they can work as cryptocurrency miners and file lockers.

XiaoBa file injector comes with some drawbacks

Once inside the system, XiaoBa scans local files to identify .exe, .com, .scr and .pif files, and then injects its copy. Then, the virus drops a legitimate XMRid crypto mining software. While you may think that cryptominers are less harmful as they do not encrypt files, due to series of bugs in malware’s code, this virus can still corrupt executable files and make PCs crash continually.

Originally, XiaoBa file injector has to be booted with every program that is loaded onto the PC to execute crypto mining. However, due to a poorly written code, it is not what happens. Instead of launching both programs simultaneously, virus opens malicious executables, resulting in program malfunction. What makes it worse is that the same process is repeated all over the hard drive, including main operating system folders. Thus, some of infected systems may fail to start entirely.

Furthermore, malware inserts Coinhive JavaScript library^[6] into every single .html and .htm file on the computer. However, for some unknown reason, it deletes all files with .gho and .iso extensions.

You can avoid nasty computer infections

It is evident that malware does not enter machines on its own. Human is always a trigger who lets viruses in. Thus, with ever-shifting virus patterns, users should be more careful online.

With the help of safe browsing practices and reputable security software, it is possible to avoid devastating consequences of such viruses as XiaoBa which came back to be just as devastating as the ransomware version.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Andrew Liptak. The WannaCry ransomware attack has spread to 150 countries. The Verge. American magazine.
^ Tara Seals. Cryptominers Replace Ransomware as No. 1 Threat. Infosecurity Magazine.
^ Lucia Danes. XiaoBa ransomware virus. How to remove? (Uninstall guide). 2-spyware. Cybersecurity news and articles.
^ Michael Gillespie. New version of XIAOBA ransomware. Twitter. Social network.
^ Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner. Trend Micro. Security researchers.
^ JavaScript library. Wikipedia. The Free Encyclopedia.