Previously undetected VictoryGate Botnet already infected 35,000 devices

Pierluigi Paganini April 27, 2020

Experts managed to sinkhole several C2 servers of the VictoryGate botnet that already infected over 35,000 devices and propagates via infected USB devices.

The VictoryGate botnet is active since at least May 2019, the botnet is more active in Latin America the most. More than 90% of the infected devices are located in Peru. Experts from ESET managed to sinkhole several C2 servers and dismantled the previously undocumented botnet that was composed of over 35,000 devices.

The VictoryGate bot propagates via infected USB devices, it was designed to mine Monero abusing resourced of compromised devices, it is also able to deliver additional payloads. The bot has infected devices belonging to organizations in both public and private sectors, including financial institutions. 

“The victim receives a USB drive that at some point was connected to an infected machine,” explained ESET Researcher Alan Warburton. “It seemingly has all the files with the same names and icons that it contained before being infected. Because of this, the content will look almost identical at first glance. However, all the original files were replaced by a copy of the malware. When an unsuspecting user attempts to open one of these files, the script will open both the file that was intended and the malicious payload.”

The VictoryGate botnet used only subdomains registered at the dynamic DNS provider No-IP to control infected devices. The security firm with the help of No-IP and the non-profit Shadowserver Foundation was able to take them all down.

Experts noticed a high resource usage, they reported a sustained 90-99% CPU load thus slowing down the infected device and causing overheating that could even damage it.

The only propagation vector observed by the researchers is through removable devices, the malicious code copies all of the files on the USB drive to a hidden directory on root, then uses Windows executables (AutoIt scripts) compiled on the fly as apparent namesakes.

The USB drive would appear normal to the victims, but when they attempt to open a file, the script launches both the intended file and the initial module of the bot, which copies itself to %AppData% and places a shortcut in the startup folder, to achieve persistence at the next reboot.

“This module is an approximately 200 MB .NET assembly that contains a huge array with garbage bytes. This is likely done to avoid scanning by some security products that have file size or other resource consumption limits.” continues the analysis. “The array also contains a XORed and gzip-compressed DLL that, at runtime, is deciphered and loaded with a late binding call using the .NET Reflection API.”

The bot can inject an AutoIt-compiled script into legitimate Windows processes to communicate with the command and control (C&C) server, it is also able to download and execute additional payloads. The script also scans for connected USB drives to infect.

The injected AutoIt agent also constantly scan to detect whether a new USB drive has been connected, then it will replace the files that it contains with propagation scripts and hide the original files.

The bot attempt to download payloads in the form of AutoIt-compiled scripts that attempt to inject XMRig mining software into the ucsvc.exe (Boot File Servicing Utility) process.

The malware uses a stratum/XMRig proxy to hide the mining pool and terminates the mining process when the user opens Task Manager, to avoid to show the CPU usage.

The analysis of the sinkholing activities revealed that there are, on average, 2,000 devices mining throughout the day. Experts estimate an average hashrate of 150H/s, this means that botnet operators have earned at least 80 Monero (approximately US$6000).

“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur. The main difference is that the bots will no longer receive commands from the C&C.” ESET concludes. “This will prevent new victims from downloading secondary payloads from the internet. However, those PCs that were infected prior to the disruption may continue to perform cryptomining on behalf of the botmaster,”

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – VictoryGate botnet, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment