ESET, a cybersecurity firm of Slovakia, has reported success in disrupting the workings of a previously unexplored Monero-mining botnet in Latin America.
On April 23, it has been reported in an announcement that ESET said the malware had infected over 35,000 computers since May 2019, with 90% of compromised devices located in Peru.
However, the ESET researchers have dubbed the botnet VictoryGate by noting that its main activity has been illicit Monero mining, also known as cryptojacking.
It has been analyzed that this is the industry term for stealth crypto-mining attacks, which work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.
Also, the firm’s announcement notes that the malware results in extremely high resource usage on infected computers, resulting in a sustained 90–99% CPU load that can lead to overheating and potentially damage the device.
Likewise, the botnet’s propagation vector has been external USB drives, which appear to have files with names and icons that are identical to those contained originally.
“However, the original files have been copied to a hidden directory in the root of the drive and Windows executables have been provided as apparent namesakes.”
For having detected the botnet, ESET has had some success in disrupting its operations by taking down its command and control (C&C) server and setting up a “sinkhole” as this works to divert requests to an alternative domain name and has enabled ESET to monitor and control the infected hosts.
ESET says that it is working with the non-profit Shadowserver Foundation to share sinkhole logs and jointly try to mitigate the threat posed by VictoryGate.
The researchers stated:
“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur. The main difference is that the bots will no longer receive commands from the C&C […] However, those PCs that were infected prior to the disruption may continue to perform cryptomining on behalf of the botmaster.”
In the meantime, users can use the firm’s free online scanner if they believe that their device has been infected by the botnet.
Thus, as per the report, the attackers behind the so-dubbed “Sodinokibi” ransomware have recently switched from Bitcoin to Monero to better protect their identities from law enforcement.