Xbot: A Nasty one-two Punch Ransomware


After the spread of phishing around the world by fabricating an entire entity of online banking which requires confidential details, another online fraudulent is on its peak targeting Australia and Russia in the making.

While some people do not understand how it is cleverly engineered by unscrupulous software developers, this malware, also known as Xbot, steals online banking credentials and can encrypt a device’s files hostage in exchange of a ransom.

According to Paolo Alto, on his blog last Thursday, Xbot is not widespread yet but seems to be targeting Russian and Australian devices. However, they believe that the one behind Xbot is trying to expand its target base.

“This Trojan seems to be studied properly as it is very complex and surely anyone who will pay a heed to detect it will be hard-pressed guessing how to prevent it as it is likely that its ability to infect users and remain hidden will only grow,” Paolo Alt wrote.

This malware is said to be using activity hijacking which aimed to steal online banking and personal details. This activity allows the malware to launch when a user opens an application. This will cause the user to be unaware that he is using a wrong function. Activity Hijacking is taking advantage for those older device or those that have not been updated.

Just like phishing, Xbot monitors the application launched by the user. If it’s an online banking app, Xbot masquerades the real app.

This malicious interface is usually displayed in web view and is actually downloaded from a command-and-control server. It has been reported recently that they have found seven different bogus interfaces and identified six of them which imitate the actual visual functions for some of the most popular banks in Australia. Passwords, usernames, bank account numbers, codes and the like – such login interfaces were ingeniously created to deceive the user.

On the other hand, Xbot can also display an interface through web view saying that device has been infected with Cryptolocker which is a well-known ransomware program. Cryptolocker encrypts and locks all files which in turn ask for payment to recover all the files. They are usually redirected into a spoofed paypal site to pay US$100.

The encryption algorithm of Xbot is weak and believed to be recoverable, Paolo Alto wrote.

However, this malware can also data mine all personal data and send them to the attackers.