Slovakian cybersecurity firm, ESET, has succeeded in dismantling the activities of a Monero-mining
botnet which was previously undetected.
According to the report by the security firm, the
malware had compromised more than 35,000 computers since May last year, and 90%
of the affected systems are from Peru.
The botnet, known as Victory Gate, was discovered as a crypto mining botnet and has expanded into three different variations ever since their parent botnet was discovered by ESET last year. Since then, the three variations have been infecting computers across South America.
To many people, it’s not a surprise that hackers have used
Monero for their malware mining activities.
In October last year, the Monero mining became widely used by hackers as it took the form of audio files and infected thousands of systems to mine the Monero coin.
In November last year, a cybersecurity firm uncovered another threat, when it revealed that a hacking syndicate was looking for vulnerable and exposed Docker platforms. The report revealed that the hackers are using the Docker Platforms to gain illicit access to the networks for mining crypto.
Everybody knows Monero is now the most common crypto coin
used in the Darknet, as it has now overtaken Bitcoin in that regard. In the
past, Bitcoin was the undisputed transaction coin among cybercriminals.
But as Bitcoin transactions are increasingly becoming
traceable, cybercriminals have turned to their next available privacy-centric
coin – Monero.
Monero has tried to strengthen the unique selling feature of the coin, which now makes it the favorite for cybercriminals because of the secretive nature of transacting with the coin.
As ESET has pointed out , the majority of the 35,000
victims were attacked using a form of external device like a USB. When the
device is attached, it starts installing malware-infested payload into the
system. Once it’s completely installed, the Monero mining botnet is
automatically activated, sending different commands to the node.
ESET has revealed that the botnet camouflages itself very
well, which makes it difficult for the user to identify.
The USB drive used in the attack would seem normal with all
the computer’s files and folders in order. However, when the user tries opening
a file, the script releases both the malware initial module and the intended
file. The malware module multiplies and places a shortcut at the startup
folder, which would later be launched at reboot.
Nonetheless, it’s possible that this recently discovered Monero mining botnet could be used to mine other crypto coins. It could be possible if the hackers can tweak the instructions to the nodes to download additional payloads. But the hackers may prefer mining Monero because it is one of the safest crypto coin they can steal without a trace.
According to ESET’s security team, more than 2,000 systems
mined Monero in the background daily. That means the botnet mined about $6,000
worth of Minero.
“We could say that
the authors of this campaign have collected at least 80 Monero (approximately
$6000) from this botnet alone,” the ESET team pointed out.
ESET also said it estimated a 150H/s average hash rate from
the mining.
Although the cybersecurity firm has tried to remove those botnets from the infected systems, it warns that the systems could be infected again if serious security measures are not taken.
ESET has advised users to be very cautious because
re-infection by Victory Gate is possible, especially for those not covered in
the ESET “sink holding” project.