Vivin Botnet

Malware researchers have been keeping an eye on the activity of the Vivin Botnet since 2017 when this botnet first appeared on the map. The peak activity of the Vivin Botnet was around the end of 2018. Ever since, the operators of this botnet have been neglecting this campaign, and there has been a decreasing number of hijacked systems. The goal of the creators of the Vivin Botnet is to compromise unsuspecting users' systems and plant cryptocurrency miners on them. This would allow the operators of the Vivin Botnet to mine cryptocurrencies using up the computing resources of the users whose systems have been hijacked.

Mines the Monero Cryptocurrency

The mining module that the creators of the Vivin Botnet inject in the compromised systems is the publicly available XMRig cryptocurrency miner. The XMRig miner is designed to mine the Monero cryptocurrency. The XMRig miner has been altered slightly by the operators of the Vivin Botnet to ensure that it runs in the background without raising any suspicion. To spread the payload of the Vivin Botnet, the attackers have opted to utilize pirated applications on popular torrenting websites as an infection vector. This is why cybersecurity experts advise users against downloading pirated content – not only it is illicit, but it also can harm your system and jeopardize your data's safety.

Gaining Persistence

Upon infecting a system, the Vivin Botnet would establish a connection with its operators' C&C (Command & Control) server immediately. This is done so that the threat registers the newly compromised system and fetch the configurations it needs. The operators of the Vivin Botnet use a few different Monero wallet addresses where they collect the mined cryptocurrency. However, they appear to have mentioned several of these addresses on Reddit. The posts regarding the Monero addresses used in the Vivin Botnet campaign were posted by an individual with the username 'vivin123,' which is what inspired the name of the botnet. The Vivin Botnet would gain persistence on the compromised host by scheduling a Windows task that would run the mining module every 30 minutes to ensure it is always operational.

Cryptocurrency miners remain a popular means to make cash illicitly, and cyber crooks are becoming more cunning by the day. This is why users should keep all their applications up to date and be very careful when downloading media or software online. Furthermore, make sure you download and install a genuine anti-malware tool that will keep your system safe and your data secure.