Researchers Take Down Massive Crypto-Mining Botnet

Matthew Broersma,
security, hacking

VictoryGate crypto-mining botnet infected at least 35,000 systems, mostly in Peru, and continues to spread via infected removable USB drives

Security researchers have taken down a crypto-mining botnet that infected at least 35,000 devices and which is continuing to spread.

The VictoryGate botnet mainly affects systems located in Latin America and particularly in Peru, where 90 percent of the infected machines are located, ESET said.

It has been active since at least May 2019 with three variants of the original module and about 10 secondary payloads being identified.

ESET was able to take down the botnet’s command and control servers and set up its own servers in their place, a technique called sinkholing.

attack, security, cyber, crypto-miningCryptomining

The original control servers were all located in subdomains registered at dynamic DNS provider No-IP, ESET said.  The provider disabled all the servers in question once notified of the situation.

VictoryGate primarily installs tools that run in the background and which use the resources of a compromised system to covertly mine Monero cryptocurrency.

The practice, which involves a heavy drain on system resources, is likely to have resulted in mining at least 80 Monero coins for the attackers, currently worth about £3,900, ESET said.

With their command servers taken down the attackers are no longer able to install new secondary payloads on infected systems, but the infected systems may continue to mine Monero for the attackers – and to infect additional systems.

VictoryGate appears to spread via removable USB drives, a technique ESET said it has seen a number of times in Latin America.

The malware uses the XMRig mining software combined with infection tools written in the AutoIt programming language, a trend ESET said is on the rise in the region.

Removal

“The only propagation vector we have been able to confirm is through removable devices,” ESET said in an advisory.

The malware replaces files originally found on the removable drive with executable malware files that appear identical to the original files at first glance.

But when one of the booby-trapped files is launched, it installs VictoryGate on the machine and tries to propagate through other removable devices.

ESET said it has seen malicious traffic from infected systems used by the public sector as well as private-sector organisations including financial institutions.

The dangers posed by the malware include very high resource usage, with a sustained 90 to 99 percent CPU load that can cause overheating and possibly damage the system.

The malware may have been secretly installed on a batch of new USB storage devices shipped within Peru, ESET said.

“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur,” the company said.

ESET  said it is working with the Shadowserver Foundation to notify the owners of the affected systems and has made a tool available that removes the malware.