Cyber-security firm ESET said that they have taken down a malware botnet which had infected more than 35,000 computers.
The botnet which has been active since May last year, has infected many computers, majority of which are located in Latin America, with Peru having more than 90% of the total victim count.
The botnet called as VictoryGate, has the main purpose of infecting the victims with malware that mined the Monero cryptocurrency behind their backs.
Alan Warburton, a researcher at ESET investigated the VictoryGate operation, and he says that the botnet was controlled using a server hidden behind the No-IP dynamic DNS service.
ESET reported and took down the botnet’s command and control (C&C) server and set up a fake one (called a sinkhole) to monitor and control the infected hosts.
ESET is working with members of the Shadowserver Foundation to notify and disinfect all computers who connect to the sinkhole. According to sinkhole data, between 2,000 and 3,500 computers are still pinging the malware’s C&C server for new commands on a daily basis.
The researcher states that they are still investigating the technique of the botnet. So far, they have been able to just understand one of the distribution methods of the VictoryGate which is via removable devices. The victim receives a USB drive which was connected to an infected machine at some point. When the malicious USB is connected to the victim’s computer, the malware is installed on the device.
It is believed that VictoryGate malware might have been secretly installed on a ruined batch of USB storage devices that have been shipped inside Peru. It also contains a component that copies the USB infector to new USB devices connected to a computer, helping it spread to new devices.
As per the currently available information, the researchers believe that VictoryGate authors might have made at least 80 Monero coins, which is estimated to be around $6,000.