Antivirus maker Avast and the French National Gendarmerie announced that they’ve taken down the dysfunctional infrastructure of the Retadup malware gang. Additionally, as a result of gaining access to this infrastructure, Avast and French authorities made use of the criminal gang’s command and control (C&C) servers to instruct the Retadup malware to delete itself from infected computers, effectively disinfecting down over 850,000 Windows systems without users having to do anything. This move received wide appreciation
Avast said that all of this was possible after its malware analysts began looking into the malware with a fine comb back in March and then implemented ways to get to the bottom. Avast researchers discovered a design flaw in the C&C server communications protocol that could allow them to instruct the malware to delete itself.
Once Avast and French officials had the Retadup servers in the hold, they replaced the malicious ones with copies that disabled any infected host which connected to the server to delete away itself. Based on telemetry Avast collected starting with July 2, when they first took over malware’s servers, the vast majority of Retadup-infected computers were located in Latin America.
Peru accounted for nearly 35% of all infections which was designed accordingly, but when researchers added infection numbers from Venezuela, Bolivia, Ecuador, Mexico, Colombia, Argentina, and Cuba, just these nine countries accounted for 85% of the entire Retadup botnet.
In total, over the course of 45 days, from July 2 to August 19, Avast said that more than 850,000 infected systems connected to the Retadup C&C servers seeking new instructions from the malware’s operators.
The number of infected hosts surprised Avast, as the malware was thought to have been a small operation.
The malware was first seen in 2017, and in its initial phase, it was a simple trojan that collected information about infected computers and sent the data to a remote server for further analysis.
The most notable thing about its first versions was a worm-like self-spreading behavior that relied on dropping boobytrapped LNK files in shared drives in the hopes that other users would run the files and infect themselves. But in a technical report released today,
Avast said that Retadup had evolved in recent years, and the malware was now running a crypto-mining scheme. Retadup infected hosts, besides collecting data from infected hosts and dropping the good old’ LNK files as part of its self-replication behavior, would also download and run a Monero miner.
Avast said one of the reasons the Retadup operation grew so large was that 85% of all infected computers didn’t run an antivirus, allowing the malware to operate unchecked and undetected. Evidence collected from the seized servers showed the Retadup gang made at least 53.72 XMR (~$4,500 USD); however, researchers suspect this is only a small fraction of the gang’s historical profits.
In some campaigns, the malware was also seen being used as a launching pad for the STOP ransomware and Aki password stealer, suggesting the hackers were actively selling “install space” on infected hosts to other malware gangs.
French authorities also received help from the FBI after Avast found that some parts of the Retadup infrastructure were also hosted in the US. Those servers have also been taken down and Avast said the Retadup creators lost complete control over their botnet on July 8, after the FBI intervened.
Hopefully, any future encounters will be settled similarly without much burden.