- 29 August 2019 17:39
Avast works with French police, FBI to stop Retadup
Avast [LSE: AVST], a global leader in digital security products, has collaborated with the Cybercrime Fighting Centre (C3N) of the French National Gendarmerie who took down a malicious worm that has infected hundreds of thousands of Windows machines in Latin America. The worm, known as Retadup, has been distributing a malicious cryptocurrency miner, and, in isolated cases, delivering the Stop ransomware and Arkei password stealer to victims’ computers. To date, the collaboration has neutralized 850,000 unique infections of Retadup (a list of the top 15 countries in which the threat was neutralized can be found below), and the malicious command and control (C&C) server has been replaced with a disinfection server that has caused the connected pieces of malware to self-destruct. During their analysis, the Avast Threat Intelligence team discovered that Retadup primarily spreads by dropping malicious LNK files onto connected drives, in the hope that people will share the malicious files with other users. The LNK file is created under the same name as an already existing folder, with text such as “Copy fpl.lnk” appended to it. This way, it attempts to trick users into thinking they are opening their own files, when in reality they are infecting themselves with malware. When executed on a computer, the LNK file runs Retadup’s malicious script.
“The cybercriminals behind Retadup had the ability to execute additional arbitrary malware on hundreds of thousands of computers worldwide,” says Jan Vojtěšek, Reverse Engineer at Avast. “Our main objectives were to prevent them from executing destructive malware on a large scale, and to stop the cybercriminals from further abusing infected computers.”
While analysing Retadup, the Avast Threat Intelligence team identified a design flaw in the C&C protocol that would allow for removal of the malware from victims’ computers, with the takeover of the C&C server. Retadup’s C&C infrastructure was mostly located in France, so the team contacted the C3N of the French National Gendarmerie at the end of March to share their findings. On July 2, 2019, C3N replaced the malicious C&C server with a prepared disinfection server that made connected instances of Retadup self-destruct. In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the C&C protocol design flaw. This made it possible to put an end to Retadup and protect everyone from it, not just Avast users, without any action from the victim.
Some parts of the C&C infrastructure were also located in the U.S. The Gendarmerie alerted the FBI who took them down, and on July 8, 2019 the malware authors no longer had any control over the malware bots. Since it was the C&C server’s responsibility to give mining jobs to the bots, none of the bots received any new mining jobs to execute after this takedown. This meant they could no longer drain the computing power of their victims and the malware authors would no longer receive any monetary gain from mining.
PCs infected with Retadup sent quite a lot of information about the infected machines to the C&C server. The Gendarmerie gave the Avast team access to a partial snapshot of the server, so that it was able to obtain some aggregated information about Retadup’s victims.
“The most interesting piece of information was the exact amount of infections and their geographical distribution. To date, a total of 850,000 unique infections of Retadup have been neutralised, with the vast majority located in Latin America,” continued Jan Vojtěšek.
“Over 85 percent of Retadup’s victims had no third-party antivirus software installed. Some also had it disabled, which left them completely vulnerable to the worm and allowed them to unwittingly spread the infection further. Because we are usually only able to protect Avast users, it was very exciting for us to also help protect the rest of the world from malware on such a massive scale.”
The snapshot of the C&C server also allowed Avast to gain insight into the amount of cryptocurrencies the cybercriminals behind Retadup received to a cryptocurrency wallet from February 15, 2019 to March 12, 2019. The malware authors mined 53.72 XMR (around 4,500 USD on August 19, 2019) during the near month that the wallet address was active. The Threat Intelligence team believes they might have sent mined profits to other addresses during the same period, so the real profits from mining were likely higher.