ESET managed to sinkhole several command and control (C&C) servers of a botnet that propagates via infected USB devices, thus disrupting its activities.
Referred to as VictoryGate and active since at least May 2019, the botnet impacted devices in Latin America the most, especially Peru, where more than 90% of the compromised devices are located. After sinkholing the C&Cs, ESET’s security researchers were able to estimate the botnet’s size at over 35,000 devices.
VictoryGate was mainly focused on Monero mining, but the malware allowed the botmaster to issue commands to the nodes to download and execute additional payloads. Thus, ESET believes that the botnet’s purpose could have changed at some point.
“This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions,” the security firm notes.
The botnet abuses the resources of an infected device for cryptomining, with a sustained 90-99% CPU load, thus slowing down the device and possibly even damaging it.
For propagation, the botnet uses infected removable devices only. For that, the malware copies all of the files on the USB drive to a hidden directory on root, and uses Windows executables compiled on the fly as apparent namesakes.
For the victim, the USB drive would appear normal, with all files and folders in order. When the victim attempts to open a file, the script launches both the intended file and the malware’s initial module, which copies itself to %AppData% and places a shortcut in the startup folder, to be executed at reboot.
The malware can inject an AutoIt-compiled script into legitimate Windows processes to ensure communication with the command and control (C&C) server, as well as the download and execution of secondary payloads. The script also scans for connected USB drives to infect.
The bots can download and execute files, notify the C&C whether tasks were successful, send system information (username, hostname, antimalware product installed, AutoIt version, and more), and notify the C&C whether the execution path is different from the one expected.
Observed downloaded payloads were AutoIt-compiled scripts attempting to inject XMRig mining software into the ucsvc.exe (Boot File Servicing Utility) process. Next, the mining starts on the infected system.
The botnet uses an XMRig proxy to hide the mining pool and terminates the mining process when the user opens Task Manager, to hide CPU usage. The process is resumed as soon as Task Manager is closed.
ESET estimates that there are, on average, 2,000 bots mining throughout the day, and that the botnet operations have generated at least 80 Monero (approximately $6,000).
“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur. The main difference is that the bots will no longer receive commands from the C&C. This will prevent new victims from downloading secondary payloads from the internet. However, those PCs that were infected prior to the disruption may continue to perform cryptomining on behalf of the botmaster,” ESET concludes.