Researchers Find Both 32-bit and 64-bit Files Vulnerable to Persistent Xpiro Malware Infectors

The family of malicious file infectors known as Xpiro, were recognized for malicious types of malware designed to target link files so they may be executed upon a PC's reboot where an infection could be initiated to steal information from the infected system. In recent events, researchers at Symantec have discovered newer Xpiro file infectors targeting both Intel 32-bit, 64-bit and AMD64 (64-bit) architectures.

The malicious actions of Xpiro are to basically seek and destroy. It first plants infections within win32 service files then looks for .ink files, in addition to start menu files. After the first stage of infections occur, Xpiro then moves on to infect executable files from all connected drives, including any removable or mapped drives.

Once infected, the malware steals any information it can obtain on the infected machine, all while utilizing stealth methods to avoid detection. Basically, the malware prevents alerting the computer user of what is taking place in the background. The final act of Xpiro is to add its own extensions into the Firefox and Chrome web browsers, basically allowing cybercriminals to perform different malicious tasks.

Some of the tasks that remote hackers are able to perform after Xpiro has been unleashed on a vulnerable system, is lower Chrome or Firefox's security level, spy on one's Internet activity, steal logs and even redirect the user to random unwanted sites.

One aspect of Xpiro that really keeps the infection concealed is the fact that it places infected extensions and files in inconspicuous locations. As an example, infected Firefox extensions do not show up in the extensions list within the application's settings panel as shown in Figure 1 below. Moreover, files sometimes have their name modified to avoid being suspect.

Figure 1. - Xpiro injected malicious extensions hidden in the list of Firefox add-ons. - Source: Symantec

Xpiro is undoubtedly filled with a plethora of malicious actions and intent. The most recent version of Xpiro was clearly identified as being updated to cross-infect executable files on multiple platforms to put forth its most sophisticated functionally yet to use. Probably one of the most discerning aspects of Xpiro and it's intentions is that it can perform all of these malicious activities while evading detection.

It is in everyone's best interest to be vigilant about new emerging malware threats, even if they are old flames like Xpiro, which was thought to be extinguished at one time but has been reintroduced into the wild with new sophistication. The best approach is to keep all of your software up to date as well as consistently run an antispyware or antivirus application that is able to detect such threats.