Malicious USB Drives Infect 35,000 Computers With Crypto-Mining Botnet

Cybersecurity researchers from ESET on Thursday stated they took down a portion of a malware botnet comprising at least 35,000 compromised Windows units that attackers were secretly utilizing to mine Monero cryptocurrency.

The botnet, named “VictoryGate,” has been active considering that May perhaps 2019, with infections mostly documented in Latin The us, significantly Peru accounting for 90% of the compromised units.

“The key activity of the botnet is mining Monero cryptocurrency,” ESET stated. “The victims consist of corporations in the two community and non-public sectors, including monetary institutions.”

ESET reported it labored with dynamic DNS supplier No-IP to take down the malicious command-and-management (C2) servers and that it set up fake domains (aka sinkholes) to check the botnet’s activity.

The sinkhole info demonstrates that involving 2,000 and 3,500 infected computers connected to the C2 servers on a each day basis during February and March this yr.

In accordance to ESET researchers, VictoryGate propagates by means of removable devices such as USB drives, which, when linked to the sufferer machine, installs a destructive payload into the procedure.

botnet malware

In addition, the module also communicates with the C2 server to receive a secondary payload that injects arbitrary code into respectable Windows processes, these as introducing XMRig mining program into the ucsvc.exe process (or Boot File Servicing Utility), so facilitating Monero mining.

“From the information collected throughout our sinkholing things to do, we can identify that there are, on regular, 2,000 devices mining throughout the day,” the researchers said. “If we estimate an ordinary hash rate of 150H/s, we could say that the authors of this campaign have collected at least 80 Monero (roughly $6000) from this botnet by yourself.”

With USB drives currently being utilized as a propagation vector, ESET warned of new bacterial infections that could take place in the long term. But with a major chunk of C2 infrastructure sinkholed, the bots will no longer get secondary payloads. On the other hand, all those that had been compromised right before the C2 servers ended up taken down would however continue to mine Monero.

“A person of the exciting characteristics about VictoryGate is that it demonstrates a larger effort to avoid detection than previous, comparable strategies in the region,” the analysis crew concluded.

“And, given the actuality that the botmaster can update operation of the payloads that are downloaded and executed on the contaminated equipment from crypto mining to any other destructive activities at any given time, this poses a significant risk.”

Fibo Quantum