VictoryGate is the name of a malware botnet that remained undocumented until recently while being active since May 2019. According to cybersecurity researchers at the Slovakia-based security firm ESET, the botnet is designed to mine for Monero cryptocurrency and is distributed through infected USB devices.
ESET researchers sinkholed several C&S domains to monitor the malicious activities of VictoryGate and were able to take down a portion of the malware botnet C&C servers with the help of No-IP, a dynamic DNS service provider.
It is worth noting that VictoryGate’s subdomains were registered with No-IP, which immediately took them down.
Further probe revealed that so far VictoryGate has infected a minimum of 2,000 and up to 35,000 devices between February and March 2020. Almost 90% of the infected devices are located in Peru, Latin America.
Since 2019, at least three different variants of the botnet’s initial module (detected as MSIL/VictoryGate) have been discovered along with about 10 secondary payloads, which are downloaded from file-hosting sites.
As shown in the screenshot above, it is also identified that the botnet targets Windows systems. The victims include public and private sector organizations, mainly financial institutions. It works by installing a malicious payload into the device, which is distributed through removable USB drives.
“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur,” ESET wrote in a blog post. “The main difference is that the bots will no longer receive commands from the C&C. This will prevent new victims from downloading secondary payloads from the internet.”
“However, those PCs that were infected prior to the disruption may continue to perform cryptomining on behalf of the botmaster,” ESET concluded.
ESET is currently monitoring VictoryGate and will be sending sinkhole logs to Shadowserver Foundation as well. Hence, we can expect some more details on this malware botnet pretty soon.