ESET researchers discover, and play a key role in the disruption of, a 35,000-strong botnet spreading in Latin America via infected USB drives
ESET researchers recently discovered a previously undocumented botnet that we have named VictoryGate. It has been active since at least May 2019 and, since then, three different variants of the initial module have been identified, in addition to approximately 10 secondary payloads that are downloaded from file hosting websites. The initial module is detected by ESET security products as MSIL/VictoryGate.
This botnet is composed mainly of devices in Latin America, specifically Peru, where over 90% of the compromised devices are located. We’ve been actively sinkholing several command and control (C&C) domains, allowing us to monitor this botnet’s activity. The combination of the sinkhole data and our telemetry data allows us to estimate the botnet’s size to be at least 35,000 devices.
To control its botnet, VictoryGate used only subdomains registered at the dynamic DNS provider No-IP. ESET reported the malicious subdomains to No-IP, who swiftly took them all down, effectively removing control of the bots from the attacker. Also, ESET is collaborating with non-profit Shadowserver Foundation by sharing sinkhole logs in an effort to further remediate this threat.
In Figure 1 you can see the peak number of unique IP addresses connecting to the C&C per day.
The main activity of the botnet was Monero mining. However, given that the botmaster was able to issue commands to the nodes to download and execute new secondary payloads at any given time, this could have changed at some point. This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions.
The impacts on the victim’s device are:
- Very high resource usage. In all the…