Trend Micro recently discovered that hackers repurposed the XiaoBa ransomware to carry a cryptocurrency miner payload. Typically, XiaoBa infects a PC, encrypts its files, and holds those files hostage until the victim delivers a payment to hackers. But in this case, the new payload injects the Coinhive mining script into HTM and HTML files used by the infected PC.
Coinhive is a JavaScript-based component that is injected into webpages. It uses a visiting PC’s processor to mine digital coins in the background although computers take a noticeable performance hit during the process. Typically, the mining ends once you leave the Coinhive-infested page, bringing your processor’s performance back up to speed. But Coinhive can also secretly reside in browser extensions, making an escape from the grueling process impossible while the browser remains open.
The new XiaoBa variant appears to have a worm-style component, meaning it could spread from PC to PC connected to a local network, thus increasing the hackers’ financial gains. But that is not the worst-case scenario: This variant is also highly destructive. The revised code infects legitimate binary files (exe, com, scr, pif) to deliver the payload but destroys these files in the process.
“The malware will prepend itself to any file with the above extension,” the security firm states. “That is the only criteria checked before infection, unlike other malware that typically look for certain conditions or markers before infecting the file. It also traverses all directories. It will not avoid critical system files and can render the system critically unstable if it is not dealt with properly.”
Trend Micro says the malware infects files of all sizes and does not leave any markers on the infected file, allowing for multiple infections — 10 as shown in one example — on a single PC. Thus, not only is the processor bogged down from the mining aspect, but the “stacked” infections consume large amounts of memory and likely a big chunk of disk space, too.
Trend Micro currently knows of only two versions of the XiaoBa variant, both of which carry the Coinhive payload. Both will disable Windows User Account Control notifications while only one deletes Norton Ghost images, disk media images (ISO), and blocks access to anti-virus and forensic-related websites. Presumably, both inject the Coinhive script into webpages as they are downloaded and cached locally on the PC’s storage device.
What is not clear is how PCs obtain the XiaoBa variants in the first place. Malware is typically spread through email and social network scams, requiring victims to click a link that downloads the malicious file. According to Trend Micro, one of the two variants propagates by using removable drives, like a USB-based storage stick.
XiaoBa was first reported by MalwareHunter Team at the end of 2017. Once it lands on a PC, it disguises itself as system files, disables the firewall, and blocks security-focused websites. It also modifies the PC’s registry and allows other viruses to infect the system. That doesn’t even cover the ransomware aspect, which encrypts files until victims pay a ransom.