Slovakian cybersecurity firm ESET has uncovered a new massive botnet comprised of tens of thousands devises, which were used for illicit Monero cryptocurrency mining. The researchers were able to sinkhole several command-and-control (C&C) domains so that they could monitor the botnet’s activity.
Dubbed VictoryGate, the botnet has been active since at least May 2019 and is composed mainly of devices in Latin America, with more than 90% of victims located in Peru. The researchers estimate that it was composed of at least 35,000 devices. The botnet was controlled using a server hidden behind the No-IP dynamic DNS service. When contacted by ESET, the provider swiftly shut down malicious subdomains, thus effectively removing control of the bots from the attackers.
Further investigation has shown that the VictoryGate botnet’s propagation vector has been external USB drives, which appear to have files with names and icons that are identical to those contained originally.
“Because of this, the contents will look almost identical at first glance. However, the original files have been copied to a hidden directory in the root of the drive and Windows executables have been provided as apparent namesakes,” ESET explained.
These executables are AutoIt scripts that are compiled on the fly by VictoryGate, which, when executed, would open both the file that was intended and the initial module, hidden by VictoryGate in a hidden directory.
“Once the initial module is executed, it will create a copy of itself in %AppData% (with a nicer name like ctfmon2.exe) and a shortcut in the startup folder pointing to this copy, as a simple mechanism to gain persistence upon system boot,” the report continues.
This injection process allowed the botnet to communicate with its command-and-control (C&C) servers and to download/execute its secondary payloads.
One of those payloads was an AutoIT-compiled script that VictoryGate attempted to inject into ucsvc.exe. The purpose of this payload was to activate the XMRig Monero miner.
“From the data collected during our sinkholing activities we can determine that there are, on average, 2,000 devices mining throughout the day. If we estimate an average hashrate of 150H/s, we could say that the authors of this campaign have collected at least 80 Monero (approximately US$6000) from this botnet alone,” the researchers said.