A 35,000-device botnet in Peru is wounded, but still mining cryptocurrency

It’s an example of how the fight against a cybercriminal threat is often long and methodical — and heavily aided by the private sector.
Peru botnet
Researchers from ESET, with the help of a nonprofit, say they've put a dent in a Peruvian botnet. (Getty Images)

Cybersecurity researchers on Thursday said they had helped disrupt the infrastructure behind a botnet being powered by tens of thousands of devices in Peru.

For months, the botnet — an army of compromised computers controlled by an attacker — had grown in strength by quietly infecting devices using USB drives, allowing the attackers to mine thousands of dollars in cryptocurrency. The infections reached the Peruvian public sector and financial institutions, adding urgency to the effort to defang it.

Now, Slovakian anti-virus company ESET says it helped “sinkhole” — or render innocuous — about a quarter of the malicious subdomains used by the botnet.

That means the infected machines will continue to mine cryptocurrency, but they won’t be able to receive more malicious instructions — such as injecting code onto devices— from whoever is controlling the botnet. (ESET said it had no indication that those code injections would happen.) It’s an example of how the fight against a cybercriminal threat is often long and methodical — and heavily aided by the private sector.


“When a new device becomes infected, it will poll the command and control server [of the botnet], but it will receive no reply,” ESET security researcher Alan Warburton told CyberScoop. “No payload will be downloaded.”

The researchers don’t know who is behind the zombie computer army, and exactly how the botnet first formed in Peru is still a mystery. They did find unrelated malware that used the same domains as the botnet, meaning whoever is responsible is likely involved in other forms of hacking. Ninety-six percent of the botnet’s devices are in Peru. There are much smaller groups of infected devices in countries like Sri Lanka and Indonesia, the researchers said.

What is clear is that the botnet is relying on USB devices to gradually spread from machine to machine in the South American country, one of many in Latin America grappling with financial cybercrime. The botnet follows the emergence in recent series of a series of banking trojans — financial-data-stealing malware — targeting Latin America.

“This is a very physical way of propagation, so it makes sense that it is highly focused in a specific area,” Warburton said of the use of USB sticks.

ESET discovered the botnet in October, five months after it began operating. Over the following months, the anti-virus company coordinated with the nonprofit Shadowserver Foundation and No-IP, which manages domain name systems, to put a dent in the malicious infrastructure. While the botnet may be wounded, the malware behind it will continue to propagate.


“There are infected USB drives circulating and we cannot do much about that,” Warburton said.

The Peruvian government’s National Digital Security Incident Response Team did not respond to a request for comment on the botnet.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts