The authors of the XiaoBa ransomware have retooled their malware's code into a cryptocurrency miner (coinminer).
Unfortunately, despite not encrypting files anymore, the XiaoBa coinminer still destroys users' data thanks to a series of bugs that primarily corrupt a user's executable files.
History of the XiaoBa ransomware
The XiaoBa ransomware is one of those ransomware strains that's been active on the malware scene for months, but very few people have heard of it, mainly because it was never at the center of a mass distribution campaign.
These first two versions only targeted Chinese users, but a third version released in February, this year, also contained ransom notes in English, suggesting its author might have expanded his targeting base.
New (faulty) XiaoBa version discovered
But now, Trend Micro researcher say they identified what appears to be a modified version of the XiaoBa ransomware, but coded to work as a file infector and cryptocurrency miner.
You'd think that XiaoBa getting converted into a coinminer is a good thing. However, it is not so. This new XiaoBa coinminer contains sloppy code that destroys user files and will crash PCs.
The reason this happens is because of the XiaoBa "file infector," a component that scans the local file system and appends the XiaoBa malware to other files.
According to Trend Micro experts, the current version of the XiaoBa coinminer will inject a copy of itself and the legitimate XMRig cryptocurrency mining software inside all EXE, COM, SCR, and PIF files found on an infected computer.
But Trend Micro researchers say this "executable injection routine" has been poorly coded, so much so that XiaoBa injects multiple versions of itself into other executables, and may even take legitimate executables and inject them into other legitimate executables many times over.
The main disadvantage of this faulty file injection process is that it artificially inflates file sizes, taking up local disk space.
New XiaoBa coinminer destroys executables, crashes PCs
But this isn't the only problem. Crooks created the file injector process to make sure that regardless of what application the user starts, the XiaoBa coinminer also runs beside it. However, they messed up their code and running any of the "injected" executables only starts the coinminer, but not the legitimate app.
Furthermore, the XiaoBa file infector also attaches the coinminer to executables all over the hard drive, including core operating system folders.
Because the injection process is faulty and the "injected" process doesn't start, this leads to issues where users' computers will not be able to boot because core Windows executables have been accidentally neutered by the shoddy XiaoBa file injector component.
XiaoBa also injects Coinhive in local HTML files
With XiaoBa inflicting such damage to users' computers, even if there's no file encryption features included with this new XiaoBa version, the malware is as dangerous as the first three ransomware variants, and users may need to restore from backups to recover deleted or "injected" files.
IOCs and other details about this new XiaoBa variant are available in a Trend Micro report, here.