The majority of the bots are located in Brazil and Peru but the number of victims is constantly increasing across diverse regions.
Threat actors who previously targeted cryptocurrency wallets through Distributed Denial of Service (DDoS) attacks have now launched another malware loader to facilitate their botnet Trojan. This time, they have used the Smoke Loader tool along with the RIG exploit kit and have managed to infect around 152,000 hosts with the new malware loader, claim security researchers at Malwarebytes Labs.
In their blog post, researchers noted that the botnet has managed to achieve such an astoundingly high figure through two different distribution campaigns to drop ElectrumDoSMiner malware. It is worth noting that the attackers have managed to steal roughly $4.6 million by April.
Researchers at Malwarebytes state that it started off as a phishing campaign designed to trap users so that they download a malicious version of the wallet. The attacker(s) exploited a vulnerability in the Electrum software, which could steal funds from the victim’s wallet.
In February, the wallet developers used the same vulnerability for redirecting users to download the patched version of the software. However, they discovered the use of an undocumented loader called Trojan.BeamWinHTTP, which is responsible for downloading the ElectrumDoSMiner. Devices that have been infected with malware would become slow and the internet speed will also slow down because the device will join the army of botnets to carry out additional DDoS attacks.
“While these DDoS attacks have not been publicized much by mainstream media, they have undoubtedly caused millions of dollars in losses over the span of just a few months,” said Malwarebytes in its blog post.
The botnet is currently invading computers in the Asia Pacific and South American Region; the majority of the bots are located in Brazil and Peru but the number of victims is constantly increasing across diverse regions.
“We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks. Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily,” Malwarebytes added.
It is quite concerning that by April 24, the number of infected devices was below the 100,000 marks but the very next day, it reached 152,000, while the number of infected hosts also keeps changing but on average it is over 100,000.
In their previous attacks, they used the Smoke Loader and RIG Exploit Kit for stealing funds. In that campaign, the malware was dropped through DDoS attacks and launch the ElectrumDoSMiner but the new campaign involves using a new malware dubbed Trojan.BeamWinHTTP.
However, this malware can also download the ElectrumDoSMiner, which can be found on the system in a file titled transactionservices.exe. The ElectrumDoSMiner Trojan floods the Electrum nodes with requests so that the system gets infected and joins the army of botnets.