Windos OS is first under atack with over 35000 infected computers so far, and most of them is in Latin America, Peru.
It installs scripts and then hides in root of the drive.
ESET detection name
Hash
MSIL/VictoryGate.A 398C99FD804043863959CC34C68B0305B1131388
MSIL/VictoryGate.A a187d8be61b7ad6c328f3ee9ac66f3d2f4b48c6b
MSIL/VictoryGate.B 483a55389702cdc83223c563efb9151a704a973e
MSIL/VictoryGate.C 686eef924e6b7aadb5bcff1045b25163501670e6
Filesystem
%ProgramData%\JcmewjJky\jcmewjjky.ico
%ProgramData%\JcmewjJky\jcmewjjky.exe
%ProgramData%\JcmewjJky\jcmewjjky.au3
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.url.lnk
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\tpmvsucgr.url
%AppData%\tpmvscugr.exe
%AppData%\ctfmon2.exe
HKCU/Software/JcMewjJKy
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Schedule/TaskCache/Tree/rwIAMblfuvoss
HKCU/Software/Victory
C&C Domains
* Domains being sinkholed.
scitie.ddns[.]net
ddw.ddns[.]net
c0d3.ddns[.]net
volvo.ddns[.]net
xcod.ddns[.]net
mrxud.ddns[.]net
d001.ddns[.]net
xkm.ddns[.]net
luio.ddns[.]net
xcud.ddns[.]net
aut2scr.ddns[.]net
fanbmypersondrive[.]icu
mydrivepersonpdvsa[.]icu
mydrivepersonfanb[.]icu
mycountermppd[.]xyz
calypsoempire.ddns[.]net
mgud2xd.ddns[.]net
aut0hk.ddns[.]net
xcud.zapto[.]org
accountantlive[.]icu
shittybooks[.]review
hakerz123.ddns[.]net
jcmewjjkyc0d3.ddns[.]net *
urtyerc0d3.ddns[.]net *
MoOHyAYeuaut2scr.ddns[.]net *
pNUMWWDLjPmzg.ddns[.]net *
gJyapcAGoc0d3.ddns[.]net *
OHOFqlXNJluio.ddns[.]net *
Payload URLs
gulfup[.]me/i/00711/2czcy5xvh7br.jpeg
gulfup[.]me/i/00711/a8nr26g1zcot.jpeg
gulfup[.]me/i/00711/6400e1i9fsj6.jpeg
gulfup[.]me/i/00711/pwgzuq5902m2.jpeg
gulfup[.]me/i/00711/lhm3w37zuiwy.jpeg
gulfup[.]me/i/00711/3mwdm6tbgcq6.jpeg
gulfup[.]me/i/00712/sy8rtcxlh1pu.jpeg
gulfup[.]me/i/00712/o56zgjhefny0.jpeg
b.top4top[.]io/p_152411ncc1.jpeg
pastebin[.]com/raw/fEAuhPYh
Stay safe, and don't use any suspicious USB drives.
source:
https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/