It has been informed by the researchers from ESET that a major chunk of a malware botnet was taken down that comprised a minimum of 35,000 attacked Windows systems. Those systems were used by attackers to mine Monero cryptocurrency. Now that is a serious threat. The botnet that is termed as “Victory Gate” was very much active since the month of May, 2019. The key numbers of infections were reported from Latin America, mainly Peru; that is a 90 percent of the attacked systems.
This particular botnet revolves around the idea of mining Monero cryptocurrency. The botnet attacks businesses and companies which are either in public sector or private or at times both. This also includes financial intermediaries and businesses.
This was rectified when ESSET worked with dynamic DNS provider No-IP to bring down the bad command-and-control (C2) servers. It established sinkholes (defined as false domains) to analyze the activities performed by botnet. The data also provides the evidence that more than 3500 computer systems were connected to C2 servers every day in the month of February and March 2020. The total number hiked within months.
The botnet i.e. Victory Gate can spread via transferable and detachable devices, for e.g. a USB drive or data banks etc. when they are joined with the computers, laptops or other machines. The malicious botnet installs itself in those devices. The component also connects with the C2 server to take a subordinate payload that inserts random code into genuine Windows processes, like introducing XMRig mining software into the ucsvc.exe process (or Boot File Servicing Utility), thus enabling Monero mining.
According to researchers, it is found out the with this botnet attack the author has gathered a minimum of 80 Monero that is almost equivalent to $6,000/-. On average there are 2000 machines which are affected on daily basis. This is a serious concern which must be taken in to consideration and efforts should be made to fight these challenging issues.
One of the fascinating features about VictoryGate is that it displays a bigger effort to dodge exposure than earlier, related campaigns in the region. Plus, the botmaster can modify utility of the payloads that are transferred, copied and executed on the infected machines from crypto mining to any other malicious actions at any given time, this poses a sizeable threat.