Researchers Take Down Massive Crypto-Mining Botnet

Security researchers have taken down a crypto-mining botnet that infected at least 35,000 devices and which is continuing to spread.

The VictoryGate botnet mainly affects systems located in Latin America and particularly in Peru, where 90 percent of the infected machines are located, ESET said.

It has been active since at least May 2019 with three variants of the original module and about 10 secondary payloads being identified.

ESET was able to take down the botnet’s command and control servers and set up its own servers in their place, a technique called sinkholing.

Cryptomining

The original control servers were all located in subdomains registered at dynamic DNS provider No-IP, ESET said.  The provider disabled all the servers in question once notified of the situation.

VictoryGate primarily installs tools that run in the background and which use the resources of a compromised system to covertly mine Monero cryptocurrency.

The practice, which involves a heavy drain on system resources, is likely to have resulted in mining at least 80 Monero coins for the attackers, currently worth about £3,900, ESET said.

With their command servers taken down the attackers are no longer able to install new secondary payloads on infected systems, but the infected systems may continue to mine Monero for the attackers – and to infect additional systems.

VictoryGate appears to spread via removable USB drives, a technique ESET said it has seen a number of times in Latin America.

The malware uses the XMRig mining software combined with infection tools written in the AutoIt programming language, a trend ESET said is on the rise in the region.

Removal

“The only propagation vector we have been able to confirm is through removable devices,” ESET said in an advisory.

The malware replaces files originally found on the removable drive with executable malware files that appear identical to the original files at first glance.

But when one of the booby-trapped files is launched, it installs VictoryGate on the machine and tries to propagate through other removable devices.

ESET said it has seen malicious traffic from infected systems used by the public sector as well as private-sector organisations including financial institutions.

The dangers posed by the malware include very high resource usage, with a sustained 90 to 99 percent CPU load that can cause overheating and possibly damage the system.

The malware may have been secretly installed on a batch of new USB storage devices shipped within Peru, ESET said.

“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur,” the company said.

ESET  said it is working with the Shadowserver Foundation to notify the owners of the affected systems and has made a tool available that removes the malware.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

1 day ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

1 day ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

1 day ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

1 day ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

1 day ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

1 day ago