Slovak cybersecurity company ESET announced today that it has removed a botnet of malware that infected more than 35,000 computers.

According to an ESET press release released today, the botnet has been operating since May 2019 and most of its victims were located in Latin America, with Peru accounting for more than 90% of the total number of victims.

ESET, called VictoryGate, said the botnet’s primary goal was to infect victims with malware that depleted Monero’s cryptocurrency in the back.

According to ESET researcher Alan Warburton, who investigated Operation VictoryGate, the botnet was monitored through a server hidden behind the dynamic No-IP DNS service.

Warburton claims that ESET reported and removed the botnet command and control server (C&C) and set up a fake (called hole) to monitor and control infected hosts.

The company is now working with members of the Shadowserver Foundation to warn and disinfect all equipment that connects to the hole. Based on the data from the hole, between 2,000 and 3,500 computers continue to ping the malware’s C&C server for new commands daily.

VictoryGate hole activity

Image: ESET

The source of infection could be an ink group of USB drives

Warburton says they are still investigating the modus operandi of the botnet. So far they have only been able to discover one of VictoryGate’s distribution methods.

“The only spread vector we have been able to confirm is through removable devices. The victim receives a USB drive that was once connected to an infected machine,” Warburton said in a deep technical dive today.

After the malicious USB is connected to the victim’s computer, the malicious software is installed on the device.

Currently, it appears that the VictoryGate malware could have been secretly installed on a batch of USB storage devices shipped to Peru. VictoryGate also contains a component that copies the USB infectious device to new USB devices connected to a computer, helping it to spread to new devices.

Warburton also said that, based on currently available information, the authors of VictoryGate would most likely have made at least 80 Monero coins, currently estimated at about $ 6,000.