Law enforcement authorities rescued roughly 850,000 machines that were infected with Retadup malware by replacing the command-and-control infrastructure with a disinfection server, causing the worm to self-destruct.
The operation took place last July under the auspices of the French National Gendarmerie’s Cybercrime Fighting Center and the FBI, and was significantly aided by researchers at Avast, who had been closely tracking the threat since March.
Discovered in 2017, Retadup is typically coded in either AutoIt or AutoHotkey, self-propagates by dropping malicious LNK files onto connected drives. “The dropped
LNK files essentially mimic users’ already existing files and they seem to be successful at convincing many of them that they are just benign shortcuts,” reads an Avast technical report published today.
After gaining persistence, Retadup goes on to distribute secondary malware on infected machines. It most commonly delivers a Monero cryptomining program, but also has been observed spreading over malware programs including Stop ransomware and the Arkei password stealer, Avast reports.
The vast majority of Retadup victims whose infections were neutralized in last month’s crackdown are based in Latin American countries. However, the law enforcement operation itself specifically targeted C2 infrastructure based in France and the U.S.
“The cybercriminals behind Retadup had the ability to execute additional arbitrary malware on hundreds of thousands of computers worldwide,” said Avast malware analyst Jan Vojtěšek, who led the research effort on Retadup. “Our main objectives were to prevent them from executing destructive malware on a large scale, and to stop the cybercriminals from further abusing infected computers,” the researcher continued, per an Avast company blog post also published today.
The disinfection operation was made possible by a design flaw, discovered by Avast researchers in Retadup’s C2 protocol, which ultimately allowed law enforcement actors to hijack the malicious infrastructure. In the lead-up to the operation, Avast created a track program to monitor for new Retadup variants or payloads. Meanwhile, French authorities took a snapshot of the C2 server’s desk from the hosting provider for further study.
“Note that we had to take utmost care not to be discovered by the malware authors,” explains the technology report, authored by Vojtěšek. “Up to this point, the malware authors were mostly distributing cryptocurrency miners, making for a very good passive income. But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”
As soon as French authorities swapped out the C2 server with the disinfection server, several thousand infected bots immediately connected, looking for malicious orders that never came. Instead, they were liberated from the worm. The FBI acted next, taking down the C2 architecture that was based in the U.S.
From study information gleaned from the bots, researchers determined that most infected computers had two or four cores (computing power is important in cryptomining operations), and 85 percent had no third-party AV software installed. Windows 7 users were most common victim (52.7 percent percent of infections).
An analysis of the C2 components’ source code also confirmed that a previously observed series of tweets bragging about the Retadup worm were actually from its authors. One of the tweets contained what was determined to be a legitimate screenshot of the C2 controller.
In a quirky twist, Avast also discovered that all of the files on the malicious C2 server were themselves infected with the Neshta file infector virus.