XIAOBA File Corruptor and Miner

XIAOBA is a sophisticated file corruptor and cryptocurrency miner. Formerly used as a ransomware tool, its code has been repurposed with new capabilities to make it more destructive.

At the time of publication, it is unclear how XIAOBA is delivered to a target device. Once installed, it will begin to inject the Coinhive mining script into all .html and .htm files. Other variants have been observed using the XMRig miner instead of Coinhive. Alongside this, XIAOBA will execute a version of itself in the startup folder and delete registry entries to disable safe boot mode.

XIAOBA will also traverse all available directories and corrupt any files with the extensions .exe, .com, .scr and .pif; prepending the files once done. This is the only check it does, meaning files can be infected multiple times. Critical system files are not excluded from this search and if corrupted will render the device inoperable.

Like other malware, it drops and executes a copy of itself for autostart:-

%systemroot%\360\360Safe\deepscan\ZhuDongFangYu.exe

Or in another variant

%systemroot%\svchost.exe

Affected Platforms

Microsoft Windows – All version