XIAOBA Ransomware

45f6ca06-eec3-4ffc-9a71-7659da5cd9f7

 

A sophisticated file infector with cryptocurrency mining and worm capabilities and found two variants of this file infector during our investigation. Identified as XiaoBa (detected by Trend Micro as PE_XIAOBAMINER), this particular malware is distinctly similar to the XiaoBa ransomware. It seems like the ransomware code was repurposed, adding new capabilities to make it a more destructive cryptocurrency miner.

This file infector can be considered destructive since it infects malware binaries, keeping the host code intact but no longer executing it for its original purpose. For example, when an infected calc.exe file with XiaoBaMiner is executed, it will run the malware code but will no longer run the main calc.exe routine.

Source: Trend Micro

How do you protect yourself?

Proper security measures must be in place to defend against XIAOBA and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptocurrency-mining malware.

 

CVE 2018-8739

Threat Meter

 

VPN Unlimited 4.2.0 and many other VPN services for macOS suffers from a root privilege escalation vulnerability in its privileged helper tool. The privileged helper tool implements an XPC interface, which allows arbitrary applications to execute system commands as root.

 

Source: National Vulnerability Database

 

How do you protect yourself?

Make sure both MacOS and your VPN client are up-to-date. Having a firewall will also help prevent external events.

 

Necurs Malware

Threat Meter

 

Necurs, a modular malware with variants that are capable of spam distribution, information theft, and disabling security services and elements, has been in around since 2012, propagating in the wild via the Necurs botnet. In 2017, it pushed Locky — a ransomware family with one variant that was notable for being distributed via 23 million emails in just 24 hours — via a URL-only spam email campaign.  Last year, we also saw how Necurs pushed double-zipped attachments that either contained JavaScript, Visual Basic scripts, or macro files with the capability to download its final payload. In an attempt to evade spam detection through its attachments, Necurs used archives that included .ZIP files to disguise the script downloader, which was later enclosed in another .ZIP to hide itself.

Source: Trend Micro

How do you protect yourself?

Proper security measures must be in place to defend against Necurs and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from cryptocurrency-mining malware.