ESET takes down VictoryGate cryptomining botnet

More than 35,000 computers believed to have been infected, according to ESET's sinkhole data.

botnet-world-map.png

Slovak cyber-security firm ESET announced today that it took down a malware botnet that infected more than 35,000 computers.

According to an ESET press release published today, the botnet has been active since May 2019, and most of its victims were located in Latin America, with Peru accounting for more than 90% of the total victim count.

Named VictoryGate, ESET said the botnet's primary purpose was to infect victims with malware that mined the Monero cryptocurrency behind their backs.

According to ESET researcher Alan Warburton, who investigated the VictoryGate operation, the botnet was controlled using a server hidden behind the No-IP dynamic DNS service.

Warburton says ESET reported and took down the botnet's command and control (C&C) server and set up a fake one (called a sinkhole) to monitor and control the infected hosts.

The company is now working with members of the Shadowserver Foundation to notify and disinfect all computers who connect to the sinkhole. Based on sinkhole data, between 2,000 and 3,500 computers are still pinging the malware's C&C server for new commands on a daily basis.

VictoryGate sinkhole activity

VictoryGate sinkhole activity

Image: ESET

Source of infection could be a tainted batch of USB drives

Warburton says they're still investigating the botnet's modus operandi. Until now they've only been able to discover just one of the VictoryGate's distribution methods.

"The only propagation vector we have been able to confirm is through removable devices. The victim receives a USB drive that at some point was connected to an infected machine," Warburton said in a technical deep dive today.

After the malicious USB is connected to the victim's computer, the malware is installed on the device.

Currently, it appears that the VictoryGate malware might have been secretly been installed on a tainted batch of USB storage devices that have been shipped inside Peru. VictoryGate also contains a component that copies the USB infector to new USB devices connected to a computer, helping it spread to new devices.

Warburton also said that based on currently available information, the VictoryGate authors would have most likely made at least 80 Monero coins, estimated today at around $6,000.