The authorities managed to take down the whole infrastructure of the Retadup malware botnet
One of the French police force divisions National Gendarmerie announced today the demise of Retadup malware that was operated by cybercriminals for more than two years. The self-replicating worm and a Monero miner, which was monitored by a security research team from Avast, managed to establish a wide botnet all over the world, and the number of infections grew.
The security firm and the French police managed to take down the whole infrastructure of the malware operation successfully and, by using malicious actors' Command & Control servers, remotely uninstalled the malicious payload from 850,000 computers, most of which were located in Latin America.
Malware researchers at Avast who analyzed various samples explained how the team managed to terminate the infection remotely:
In accordance with our recommendations, C3N dismantled a malicious command and control (C&C) server and replaced it with a disinfection server. The disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct.
Despite taking down the botnet and seizing the C&C servers, no arrests were made in connection with the operation of the botnet. Nevertheless, the alleged author of the Trojan was seen on Twitter several times.
A design flaw in the C&C communication protocol allowed researchers to take down Retadup
Avast team started analyzing Retadup more closely in March 2019, despite it being active previously. The attention of experts was caught by sophisticated obfuscation techniques that malware used:
At the time, a malicious Monero cryptocurrency miner piqued our interest because of its advanced stealthy process hollowing implementation. We started looking into how this miner is distributed to its victims and discovered that it was being installed by an AutoIt/AutoHotkey worm called Retadup.
After analyzing several samples, the researchers discovered a design flaw within the C&C communication protocol, which would consequently allow them to uninstall malware from all the infected hosts (as long as they gain control on the C&C). Because the servers used were located in France, Avast contacted French authorities for help.
To take down the servers, a permit should be given by a local prosecutor, which obviously could not be granted instantly.
In early July, the prosecutor granted the permission to shut down the malicious servers, which, combined with the C&C protocol flaw, allowed the termination of the malware. Additionally, some of the servers were located in the United States, so French police contacted the FBI, which took down the remaining bots that were responsible for the cryptocurrency mining feature.
While Retadup was spread all over the world, most victims came from Latin America, and 85% of victims were unprotected by anti-malware software. The operation terminated malware on 850,000 machines, 52% of which ran Windows 7 operating system.
Features of the sealthy Retadup worm
The first indications of Retadup were spotted back in June 2017, when researchers analyzed malware samples – it dropped malicious LNK files that allowed remote attackers to steal valuable information like login credentials via the browser.
Since the release, the functionality of the Trojan expanded and new features were introduced, including the crypto-mining functionality. While many variants floated in the wild, its main functionality did not differ much – Retadup was mainly employed to mine Monero digital currency and send the funds directly into malware developers' wallets.
Avast researchers said that malware uses many anti-analysis techniques to avoid detection and achieves persistence by modifying registry value or creating a scheduled task – all while attempting to replicate itself to the connected networks or drives. During its operation, Retadup continually contacts a remote Command & Control server in order to receive inputs from the remote attackers.
The analysis report also mentioned that Retadup was also used to propagate various versions of STOP ransomware and Arkei password stealer, which suggests that malware authors were selling their services to other gangs. Luckily, this activity will now seize due to another successful battle won by the authorities and the security researchers.