Botnet Designed to Mine Virtual Currency Shut DownESET: 'VictoryGate' Infected 35,000 Devices
VictoryGate, a recently discovered botnet that infected about 35,000 devices with malware, has been disabled by researchers from security firm ESET.
The botnet was designed to mine for the virtual currency monero, according to ESET analysts. It's one of several recently discovered botnets that mine for cryptocurrencies other than bitcoin (see: Botnet Targets Devices Running Microsoft SQL Server: Report).
The VictoryGate botnet appears to have started infecting devices in May 2019, but ESET researchers discovered its operations in October. The botnet mainly targeted victims in South America, with Peru accounting for about 90 percent of all infected endpoints, according to the report.
When ESET researchers first discovered VictoryGate, they found that it was controlled through a series of subdomains registered through No-IP, a company that provides dynamic DNS services.
It's through those subdomains that ESET researchers found the command-and-control server. The research team then sinkholed the command-and-control server and set up their own server to help monitor infected devices and learn how the botnet worked, according to the report.
Based on the data the researchers have collected since the sinkhole operation, they estimate that 2,000 to 3,000 devices are still attempting to connect to the command-and-control server looking for new instructions from the botnet operators.
ESET is working with No-IP and the nonprofit Shadowserver Foundation, which researches and tracks botnets, to notify victims and help clean devices of the VictoryGate malware.
ESET researchers estimate that the operators of VictoryGate mined about 80 monero coins, worth about $6,000.
The operators of VictoryGate could have reconfigured the botnet for other purposes other than cryptomining, ESET researchers note.
"However, given that the botmaster was able to issue commands to the nodes to download and execute new secondary payloads at any given time, this could have changed at some point," according to the ESET report. "This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions."
Method of Infection
The ESET researchers are still investigating exactly how the VictoryGate malware infected devices.
In some cases, it appears that devices were initially infected through a trojanized application, which could then infect USB drives plugged into these devices, says Alan Warburton, security intelligence analyst at ESET.
The malware then changed files within the USB drive, and when those files were opened, a final payload was delivered, connecting connects the device to the operators' command-and-control server and making it part of the botnet, Warburton says.
"The enticement the users have is that they want to open their documents that are contained in the USB drive," Warbuton tells Information Security Media Group. "They will then try to open them without noticing that those documents have been replaced with malicious files."