Avast and French police take over malware botnet and disinfect 850,000 computers

Joint private-law enforcement efforts shuts down two-year-old Retadup malware operation for good.
Written by Catalin Cimpanu, Contributor

Antivirus maker Avast and the French National Gendarmerie announced today that they've taken down the backend infrastructure of the Retadup malware gang.

Furthermore, as a result of gaining access to this infrastructure, Avast and French authorities used the criminal gang's command and control (C&C) servers to instruct the Retadup malware to delete itself from infected computers, effectively disinfecting over 850,000 Windows systems without users having to do anything.

Most Retadup victims were located in Latin America

The antivirus maker said that all of this was possible after its malware analysts began looking into the malware with a fine comb back in March.

Avast researchers discovered a design flaw in the C&C server communications protocol that could allow them to instruct the malware to delete itself.

Since the Retadup malware's C&C servers were located in France, Avast approached French authorities, who agreed to help, and seized the crooks' servers.

Once Avast and French officials had the Retadup servers in their hands, they replaced the malicious ones with copies that instructed any infected host which connected to the server to delete itself.

Based on telemetry Avast collected starting with July 2, when they first took over malware's servers, the vast majority of Retadup-infected computers were located in Latin America.

Peru accounted for nearly 35% of all infections, but when researchers added infection numbers from Venezuela, Bolivia, Ecuador, Mexico, Colombia, Argentian, and Cuba, just these nine countries accounted for 85% of the entire Retadup botnet.

Image: Avast

In total, over the course of 45 days, from July 2 to August 19, Avast said that more than 850,000 infected systems connected to the Retadup C&C servers seeking new instructions from the malware's operators.

Retadup -- from small-time worm to cryptominer

The number of infected hosts surprised Avast, as the malware was thought to have been a small operation.

The malware was first seen in 2017, and in its initial phase it was an simple trojan that collected information about infected computers and sent the data to a remote server for further analysis.

The most notable thing about its first versions was a worm-like self-spreading behavior that relied on dropping boobytrapped LNK files in shared drives in the hopes that other users would run the files and infect themselves.

But in a technical report released today, Avast said that Retadup had evolved in recent years, and the malware was now running a crypto-mining scheme.

Retadup infected hosts, besides collecting data from infected hosts and dropping the good ol' LNK files as part of its self-replication behavior, would also download and run a Monero miner.

Evidence collected from the seized servers showed the Retadup gang made at least 53.72 XMR (~$4,500 USD); however, researchers suspect this is only a small fraction of the gangs historical profits.

In some campaigns, the malware was also seen being used as a launching pad for the STOP ransomware and Akei password stealer, suggesting the hackers were actively selling "installspace" on infected hosts to other malware gangs.

Avast said one of the reasons the Retadup operation grew so large was that 85% of all infected computers didn't run an antivirus, allowing the malware to operate unchecked and undetected.

Retadup author bragged on Twitter

No arrests have been made in this case; however, Avast believes they've tracked the malware's creator to a Twitter account who bragged about Retadup when the first reports emerged online about its activity back in 2017.

Image: ZDNet

Following this article's publication, security researchers from Under the Breach were able to track down the Retadup author's real world identity using domain registration data only, in a matter of minutes. Under the Breach researchers told ZDNet that the alleged Retadup author is a 26-year-old Palestinian. These details will be forwarded to Avast and the associated law enforcement inquiry, if they weren't already of them already.

French authorities also received help from the FBI after Avast found that some parts of the Retadup infrastructure was also hosted in the US. Those servers have also been taken down and Avast said the Retadup creators lost complete control over their botnet on July 8, after the FBI intervened.

Updated at 8:10am ET with information on the malware's author from Under the Breach.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards