ESET researchers discovered a botnet whose main activity was the use of infected devices to obtain the Monero cryptocurrency and which endangered the devices in Peru. This was reported on the We Live Security website on April 23.
According to the article on this page, signed by Alan Warburton, ESET researchers have discovered a previously undocumented botnet called VictoryGate. “It has been active at least since May 2019, and since then three variants of its original module and approximately 10 payloads have been identified and downloaded by the victim’s team from file hosting sites on the Internet. The original module is recognized by ESET security products such as MSIL / VictoryGate. Working with various organizations has significantly reduced control over the affected devices, ”the article said.
Then the following was described in detail: “The botnet consists mainly of devices in the LATAM region, mainly in Peru, a country where more than 90% of the devices at risk are located“”
Warburton also wrote: “We have carried out sinkholing activities for various hardcode subdomains using examples that the botnet uses as a backup for its command and control server (CC). The combination of the information from our sinkhole that was added to our telemetry allowed us to estimate the size of the botnet, which consists of at least 35,000 devices. VictoryGate uses subdomains that are registered with the dynamic DNS service provider No-IP. This company quickly removed the domains as soon as they were reported by ESET, effectively restricting the attacker’s control over bots. In addition, the information collected at the sinkhole is shared with the Shadowserver Foundation, a non-profit organization, to alert local authorities and network operators. “
The main activity of the botnet was the use of infected computers to mine the Monero cryptocurrency. “However, since the operator has the option of updating the user data carried out by the victim at any time, this functionality can change at any time. This posed a significant risk as vulnerable network traffic was detected by both public and private organizations, including companies in the financial sector in Peru, ”they said.
Impact on victim’s teams
As explained on the We Live Security website This can have affected the victim in different ways:
High resource consumption on the victim’s PC: In all analyzed samples, The malware uses all threads available from the processor to perform crypto mining. This leads to a sustained CPU usage in the range of 90 to 99%.. Also This can cause the device to slow down, overheat or even damage.
Files on USB devices that connect to an infected computer are hidden in a folder with system attributes in the root directory of the removable disk. This means that some users may lose access to their original files if they don’t remove this attribute from the hidden folder.
You may be interested in: