Avast, a digital security product developer, in collaboration with the French National Gendarmerie Cybercrime Center, discovered and destroyed Retadup, a worm that infected hundreds of thousands of Windows PCs in Latin America.[dropcap]C[/dropcap]ryptocurrency attackers spread Retadup. Sometimes they use Stop Ransomware and Arkei to do this.
Today, thanks to cooperation, 850 thousand cases of Retadup infections were neutralized, and a disinfecting server, which provoked the self-destruction of malware, replaced the server from which the attackers managed the infected devices (C&C).
Avast Threat Intelligence experts found that Retadup is mainly distributed by transferring malicious shortcuts to mapped drives, hoping that people will share malicious files with other users. A shortcut is created under the same name as an existing folder, but with the addition of text, such as “Copy fpl.lnk”. In this way, Retadup makes users think that they open their own files when in reality they infect themselves with malware. When opened on a computer, the shortcut launches a malicious Retadup script.
“The cybercriminals behind Retadup had the ability to run additional malware on hundreds of thousands of computers around the world. Our main goal was to prevent attackers from launching malicious programs on a global scale and to prevent the use of infected computers”, – said Jan Wojtešek, Avast reverse engineer.
By analyzing Retadup, the Avast Threat Intelligence team identified a C&C protocol vulnerability. Using this vulnerability, experts removed malware from victims’ computers. Retadup’s infrastructure was mainly located in France, so the Avast team contacted the French National Gendarmerie’s cybercrime center at the end of March 2018 to share its findings. On July 2, 2019, the center employees replaced the malicious C&C server with another, the disinfection server.
At the very first moment of new server’s work, several thousand bots were connected to it to receive commands. The disinfection server was able to cure them using the C&C vulnerability. Thanks to this, all users were automatically protected from Retadup.
Some parts of the C&C infrastructure were located in the United States. The French gendarmerie warned the FBI, which destroyed servers. Since July 8, 2019, cybercriminals have no longer had any control over infected bots. None of the bots received any new mining tasks after removing the server: they did not use the computing power of their victims, and the attackers did not receive any profit.
Retadup-infected computers sent quite a bit of information about infected devices to the C&C server. The gendarmerie provided the Avast group with access to a snapshot of the server’s file system in order to get some aggregated information about the victims of Retadup.
[box]A snapshot of the C&C server file system also allowed Avast specialists to get an idea of the amount of cryptocurrency received by cybercriminals from February 15, 2019 to March 12, 2019. Malware authors mined 53.72 XMRs (about $ 4.5 thousand) only during the last month when the wallet address was still active. The Avast team suggests that they could immediately send the funds received to other addresses, so the real profit from mining was probably higher.[/box]
“The most interesting information was the exact number of infected devices and their geographical distribution. To date, 850,000 unique Retadup infections have been neutralized. The vast majority were in Latin America,” said Jan Wojtešek. – More than 85% of Retadup victims did not have third-party antivirus software installed. Some simply turned it off, which made them completely vulnerable to the worm and involuntarily spread the infection further. Usually we can only help Avast users, so we were very interested in trying to protect the rest of the victims around the world on such a huge scale.”