Avast and French Police worked hand in hand to take down Retadup Botnet Malware servers. The antivirus company Avast and the French National Gendarmerie has announced today that they were able to neutralize the backend infrastructure of the two year old botnet network named Retadup.
With due diligence, they were able to gain full control of their infrastructure. From here, they were able to use the cyber-criminal’s command and control (C&C) servers to instruct Retadup malware to delete itself from infected computers which has resulted to cleaning up over 850,000 Windows systems without having to do anything.
Their malware analysts have been looking at ways to deal with it since March this year. Their researchers discovered a design flaw in the C&C server on how its communication protocol would allow them to instruct the malware on how to delete itself.
The malware server were located in France and Avast did not waste any time to work closely with French authorities. They immediately seized the cyber-criminals servers.
Once they had the servers, the Avast research team replaced the malicious code with copies that has instructions to delete itself from the hosts of infected systems.
As per Avast gathered data which started July 2, they found out that majority of infected computers were located in Latin America. Peru, Venezuela, Bolivia, Ecuador, Mexico, Columbia and Cuba comprise of 85% of the botnet network.
In a span of 45 days, they were able to clean up more than 850,000 compromised machines.
Prior to this, it was thought that the Retadup was a small-time worm, however it inched its way to becoming a cryptominer. When it was discovered way back 2017, it was initially designed to be a Trojan that collects information about the infected computers and sent the data back to a remote server for further analysis.
Its first version was worm-like and relied on dropping LNK files in shared drives in the hopes of users opening the file which would infect their system. It has evolved to now being a cryptomining operation before it was stopped. It has a self-replicating mechanism which also downloads and runs the a variant of the Monero miner.
There was evidence from the server they have siezed that they have collected at least ($4,500 USD). It may just be a small fraction of the cyber-criminal’s profits.
Other malware campaigns for Retadup shows that it was used as a launching pad for the STOP ransomware and Akei password stealer. Thus the researchers deduced that the hackers were actively selling “installspace” on infected hosts to other malware groups.
Most of the computers that got compromised did not have any antivirus which allowed the malware to run freely.
The French authorities were given assistance by the FBI after Avast researchers found out that some of the Retadup infrastructure was hosted in the US. This finally gave them the edge to fully take control of the botnet.