Cybersecurity researchers from ESET revealed that they took down a portion of a malware botnet that infected at least 35,000 Windows systems that attackers were secretly using to mine Monero cryptocurrency. The botnet VictoryGate had been active since May last year. The systems affected mainly belonged to Latin American countries, with 90% of systems being reported in Peru.
“The main activity of the botnet is mining Monero cryptocurrency.”
Cybersecurity researchers from ESET also revealed that the main activity of the botnet is to mine privacy centered cryptocurrency Monero. “The victims include organizations in both public and private sectors, including financial institutions,” the researcher noted. ESET informed that it worked with dynamic DNS provider No-IP to take down the malicious command-and-control (C2) servers and that it set up fake domains to monitor the botnet’s nefarious activity. During February and March of this year, between 2,000 and 3,500 infected computers connected to the C2 servers on a daily as sinkhole data showed. According to the researchers, the botnet propagates via removable devices such as USB drives that installs a malicious payload into the victim’s system.
ESET warns of new infections that could occur in the future.
The researchers said that on an average hash rate of 150H/s, the authors of this campaign had collected at least 80 Monero (approximately $6000) from this botnet alone. “From the data collected during our sinkholing activities, we can determine that there are, on average, 2,000 devices mining throughout the day,” researchers further informed. With the USB drives being used as a propagation vector, researchers also warned of new infections that could occur in the future. But with a notable chunk of C2 infrastructure sinkholed, the bots will not be able to receive secondary payloads.
The researchers concluded by saying that one of the notable characteristics of this botnet is that it shows a greater effort to avoid detection than previous, similar campaigns in the region.