Posted on April 27, 2020 at 10:18 AM

ESET says 35,000 Computers were Infected by Monero Mining Botnet

Slovakian cybersecurity firm, ESET, has succeeded in dismantling the activities of a Monero-mining botnet which was previously undetected.

According to the report by the security firm, the malware had compromised more than 35,000 computers since May last year, and 90% of the affected systems are from Peru.

The botnet, known as Victory Gate, was discovered as a crypto mining botnet and has expanded into three different variations ever since their parent botnet was discovered by ESET last year. Since then, the three variations have been infecting computers across South America.

There has been an increased rate of Illegal Monero mining

To many people, it’s not a surprise that hackers have used Monero for their malware mining activities.

In October last year, the Monero mining became widely used by hackers as it took the form of audio files and infected thousands of systems to mine the Monero coin.

In November last year, a cybersecurity firm uncovered another threat, when it revealed that a hacking syndicate was looking for vulnerable and exposed Docker platforms. The report revealed that the hackers are using the Docker Platforms to gain illicit access to the networks for mining crypto.

Everybody knows Monero is now the most common crypto coin used in the Darknet, as it has now overtaken Bitcoin in that regard. In the past, Bitcoin was the undisputed transaction coin among cybercriminals.

But as Bitcoin transactions are increasingly becoming traceable, cybercriminals have turned to their next available privacy-centric coin – Monero.

 Monero has tried to strengthen the unique selling feature of the coin, which now makes it the favorite for cybercriminals because of the secretive nature of transacting with the coin.

The cybercriminals used USB Device

As ESET has pointed out, the majority of the 35,000 victims were attacked using a form of external device like a USB. When the device is attached, it starts installing malware-infested payload into the system. Once it’s completely installed, the Monero mining botnet is automatically activated, sending different commands to the node.

ESET has revealed that the botnet camouflages itself very well, which makes it difficult for the user to identify.

The USB drive used in the attack would seem normal with all the computer’s files and folders in order. However, when the user tries opening a file, the script releases both the malware initial module and the intended file. The malware module multiplies and places a shortcut at the startup folder, which would later be launched at reboot.

Nonetheless, it’s possible that this recently discovered Monero mining botnet could be used to mine other crypto coins. It could be possible if the hackers can tweak the instructions to the nodes to download additional payloads. But the hackers may prefer mining Monero because it is one of the safest crypto coin they can steal without a trace.

More than 2,000 computers mined Minero

According to ESET’s security team, more than 2,000 systems mined Monero in the background daily. That means the botnet mined about $6,000 worth of Minero.

 “We could say that the authors of this campaign have collected at least 80 Monero (approximately $6000) from this botnet alone,” the ESET team pointed out.

ESET also said it estimated a 150H/s average hash rate from the mining.

Although the cybersecurity firm has tried to remove those botnets from the infected systems, it warns that the systems could be infected again if serious security measures are not taken.

ESET has advised users to be very cautious because re-infection by Victory Gate is possible, especially for those not covered in the ESET “sink holding” project.