Connect with us

Hi, what are you looking for?



‘VictoryGate’ Botnet Infected 35,000 Devices via USB Drives

ESET managed to sinkhole several command and control (C&C) servers of a botnet that propagates via infected USB devices, thus disrupting its activities.

ESET managed to sinkhole several command and control (C&C) servers of a botnet that propagates via infected USB devices, thus disrupting its activities.

Referred to as VictoryGate and active since at least May 2019, the botnet impacted devices in Latin America the most, especially Peru, where more than 90% of the compromised devices are located. After sinkholing the C&Cs, ESET’s security researchers were able to estimate the botnet’s size at over 35,000 devices.

VictoryGate was mainly focused on Monero mining, but the malware allowed the botmaster to issue commands to the nodes to download and execute additional payloads. Thus, ESET believes that the botnet’s purpose could have changed at some point.

“This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions,” the security firm notes.

The botnet abuses the resources of an infected device for cryptomining, with a sustained 90-99% CPU load, thus slowing down the device and possibly even damaging it.

For propagation, the botnet uses infected removable devices only. For that, the malware copies all of the files on the USB drive to a hidden directory on root, and uses Windows executables compiled on the fly as apparent namesakes.

For the victim, the USB drive would appear normal, with all files and folders in order. When the victim attempts to open a file, the script launches both the intended file and the malware’s initial module, which copies itself to %AppData% and places a shortcut in the startup folder, to be executed at reboot.

The malware can inject an AutoIt-compiled script into legitimate Windows processes to ensure communication with the command and control (C&C) server, as well as the download and execution of secondary payloads. The script also scans for connected USB drives to infect.

Advertisement. Scroll to continue reading.

The bots can download and execute files, notify the C&C whether tasks were successful, send system information (username, hostname, antimalware product installed, AutoIt version, and more), and notify the C&C whether the execution path is different from the one expected.

Observed downloaded payloads were AutoIt-compiled scripts attempting to inject XMRig mining software into the ucsvc.exe (Boot File Servicing Utility) process. Next, the mining starts on the infected system.

The botnet uses an XMRig proxy to hide the mining pool and terminates the mining process when the user opens Task Manager, to hide CPU usage. The process is resumed as soon as Task Manager is closed.

ESET estimates that there are, on average, 2,000 bots mining throughout the day, and that the botnet operations have generated at least 80 Monero (approximately $6,000).

“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur. The main difference is that the bots will no longer receive commands from the C&C. This will prevent new victims from downloading secondary payloads from the internet. However, those PCs that were infected prior to the disruption may continue to perform cryptomining on behalf of the botmaster,” ESET concludes.

Related: Hoaxcalls Botnet Expands Targets List, DDoS Capabilities

Related: Botnet Targets Critical Vulnerability in Grandstream Appliance

Related: Potent ‘dark_nexus’ IoT Botnet Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...