Researchers from Slovakia-based internet security firm ESET has discovered that over 35,000 computers have been infected with crypto-mining bots.
The firm said that they have discovered crypto-mining bots spread over 35,000 computers in Latin America via USB drives.
By combining “sinkhole data” and “telemetry data,” ESET has been able to estimate the extent of its spread. According to their findings:
“This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions.”
How do these crypto-mining bots operate?
ESET discovered that the bots are operating under a network named “VictoryGate.” Around 90% of the devices that have been infected came from Peru.
With the network in operation since May 2019, the bots have since evolved into different modules already.
ESET said that VictoryGate was initially focused on mining Monero (XMR). But through the course of its operations, its botmaster might have been able to issue commands to other existing nodes in the network to perform additional payloads.
Basically, crypto-mining attacks like this discreetly install the bot into a computer. The bot’s function is to leech the computer’s processing power to mine cryptocurrencies without the user knowing about it.
According to ESET, the malware consumes too much computer resources. This leads to a sustained 90% to 99% CPU load that eventually slows down infected devices. This causes overheating and, at worst, device damage.
The botnet spreads itself through removable devices only. Its malware duplicates the files stored in a victim’s USB and hides it in a different root directory.
Afterward, it creates “executables” that mimic the name of the files. Once these files are opened, the script is executed.
‘Infected’ drives to continue circulating the virus, but it can be controlled
In ESET’s estimates, 2,000 bots run through the infected devices daily. This leads to a generation of at least 80 XMRs every day.
“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur. The main difference is that the bots will no longer receive commands from the C&C. This will prevent new victims from downloading secondary payloads from the internet.”
They clarified, however, that computers that have been infected may continue to mine cryptocurrencies “on behalf of the botmaster.”
If users feel that they might have been infected by the bot, they can try ESET’s free online scanner.
So far, ESET has been able to take down the command and control server for the botnet. In order to do this, ESET established a sinkhole that will pull all requests from the infected devices to an alternative domain name.
This is what ESET also used to identify the activity of the botnets.
Images courtesy of Jack Moreh/Stockvault, Castorly Stock/Pexels