AV maker ESET disrupts VictoryGate botnet

VictoryGate botnet was primarily used for distributing crypto-mining malware

VictoryGate botnet shut down

VictoryGate botnet shut down

With countless ransomware attacks[1] and COVID-19 phishing scams[2] covering the cybersecurity landscape in recent months, it is always nice to hear some good news. A botnet dubbed VictoryGate was temporarily shut down with the help of security firm ESET.

According to the report published by ESET today,[3] VictoryGate was in operation since May 2019 and was mainly infecting users in Latin America, with 90% of the infections coming from Peru. The source of the infection is believed to be contaminated USB drives, although, since the botnet is still under heavy investigation, there might be other methods for propagation.

At the time of the shutdown, ESET managed to link approximately 35,000 devices that were connected to the botnet, secretly mining Monero cryptocurrency by abusing host machine resources to deliver the funds directly into pre-determined wallets. However, this is not the only use for VictoryGate, as researchers mentioned:

However, given that the botmaster was able to issue commands to the nodes to download and execute new secondary payloads at any given time, this could have changed at some point. This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions.

DNS provider No-IP cooperated to shut down relevant domains

Since VictoryGate release in May last year, there have been at least three different variants of the initial module identified, along with ten different payloads that are downloaded later. Since the start of 2020, the botnet managed around 2,000 – 3,500 unique IP connections to the Command & Control server per day.

Typically, the attackers controlling a botnet use a number of subdomains to control the connected bots. In this case, these subdomains were hosted by a DNS service provider No-IP, which quickly shut them down as soon as ESET reported its findings.

As a result, threat actors behind VictoryGate are no longer capable of sending the commands to bots nor perform any other actions, effectively rendering bots useless. The security firm is also working with the non-profit organization Shadowserver Foundation to further disrupt the botnet by using a so-called sinkhole – a fake Command & Control server that connects to all hosts and monitors their behavior. By connecting to nodes to the fake C&C server, researchers can initiate the successful disinfection of all the affected computers over time.

VictoryGate used various techniques to avoid being detected

Malware propagation method through USB-infected drives is quite intricate, although not uncommon for the Latin American region. The infection starts when unsuspecting users connect the external device, which previously was connected to an infected PC. The contents of the drive look virtually the same unless the users take a look at details like file types and sizes – all the files are converted to applications and have the same size (in the analyzed sample, the file size was 825kb).

Once one of these files is clicked, the infection routine begins, although the original file is opened as well, preventing users from being suspicious. Original files, along with the malicious AutoIt script[4] that launches the infection, are hidden inside the invisible folder.

In addition, VictoryGate also uses a separate module that would infect all the connected USB drives as soon as users open one of the contaminated application files, which results in infections of other devices, helping the malware to spread.

Once the payload is executed, malware will connect to a remote C&C server, inject malicious code into several different Windows processes, create a scheduled task, and install XMRig miner[5] to begin its operations.

Not an end of VictoryGate

At the time of the subdomain shutdown, ESET estimated that the attackers managed to profit by approximately $6,000 (80 Monero) over the operation period. Due to the successful operation of the cybersecurity firm along with Shadowserver and No-IP, the bots will no longer be able to retrieve commands from C&C servers, which will prevent victims from downloading secondary payloads.

While security researchers managed to greatly disrupt the botnet, the attackers will still be able to profit from some infected computers. Those users who were infected prior to a VictoryGate botnet disruption might still continue to mine cryptocurrency for the attackers, so they should use updated security tools to clean their systems from the malicious activity.