The French national gendarmerie and Avast experts have reported victory over the large Retadup botnet. Having seized the infrastructure of Malvari operators, experts ordered the malware to remove itself from 850,000 infected Windows machines.
Retadup has been known to information security experts since 2017. It was used by cybercriminals to distribute info-stylers, ransomware, and cryptocurrency miners. In recent months, the Malware has been mainly used to install Monero miners on devices located in Latin America.
Avast analysts write that they began to closely study Retadup back in March of this year. The worm spread mainly by transferring malicious shortcuts to drives connected to the infected machine in the hope that people would share the malicious files with other users. A shortcut is created under the same name as an existing folder, but with the addition of text, such as “Copy fpl.lnk”. Thus, Retadup made users think that they open their own files when in reality they infected themselves with malware.
On July 2, 2019, experts were able to take control under the main server of the attackers and replace it with their own. Almost immediately, several thousand bots turned to the new server to receive commands. Specialists made sure that the management server gave all Retadup bots a command for self-destruction, thereby cleaning up infected machines from malvari.
Some parts of the Retadup infrastructure were also discovered in the USA, but the French gendarmerie contacted colleagues from the FBI who took care of this part of the infrastructure. As a result, from July 8, 2019, the Malvari operators completely lost control of the infected machines and their bots. None of the bots received new tasks for mining anymore, and the attackers stopped making profit. It is noted that the number of infected hosts surprised specialists, since it was initially believed that the malicious campaign was small. In Russia, about 6500 cases of Retadup infection were neutralized.
Experts write that computers infected with Retadup transferred quite a lot of information about infected devices to the management server. The gendarmerie provided the Avast group with access to a snapshot of the server’s file system so that they could collect information about the victims of Retadup.
Also, Avast specialists managed to get an idea of the amount in cryptocurrency that cybercriminals “earned” during the period from February 15, 2019 to March 12, 2019. The authors of the malvari obtained 53.72 XMR (about $ 4,500) in the last month, when the wallet address was still active. Researchers believe that they could immediately send the funds received to other addresses, so the real profit from mining was probably higher.
In addition, Retadup has also been used as a “launch pad” for STOP ransomware and Akei’s password theft solution. Obviously, hackers were actively selling a place on infected hosts to other criminal groups and distributing someone else’s malware.
And while this large-scale operation has not yet been followed by arrests, experts believe that they probably managed to find one of the creators of Retadup on Twitter. As you can see in the screenshot below, back in 2017, he boasted that his worm was noticed.
ZDNet reports that after the publication of the Avast report, an independent researcher known under the pseudonym Under the Breach seems to have managed to deanonymize the author of Retadup using only domain registration information. The alleged author of Retadup is a 26-year-old Palestinian whose data has already been shared with Avast experts and law enforcement agencies.