Antivirus maker Avast and the French National Gendarmerie reported that they have taken down one of the largest wide-spread RETADUP botnet malware.
On gaining access to the backend infrastructure of the Retadup malware, Avast and French authorities used the gang’s command and control (C&C) servers to instruct the Retadup malware to delete itself from infected computers, successfully cleaning over 850,000 Windows systems without the need of the users to do anything.
Avast said that this was possible when their malware analysts noticed the malware back in March. Their researchers found a design flaw in the C&C server communications protocol that could let them to instruct the malware to delete itself.
The Retadup malware’s C&C servers were located in France and so the antivirus maker approached French authorities for help, who had agreed and grabbed the criminal’s servers.
French authorities also got help from the FBI when it was found that some parts of the Retadup infrastructure was also hosted in the US.
After accessing the Retadup servers, the Avast and French officials replaced the malicious ones with copies that instructed any infected host that is connected to the server to delete itself.
According to the telemetry collected by Avast, a large majority of Retadup-infected computers were located in Latin America.
Peru had about 35% of all infections, and when the infected numbers from Venezuela, Bolivia, Ecuador, Mexico, Colombia, Argentina, and Cuba were added, they accounted for 85% of the entire Retadup botnet.
In a span of 45 days, from July 2 to August 19, it is estimated that more than 850,000 infected systems connected to the Retadup C&C servers is seeking new instructions from the malware’s operators.
The Retadup malware was first believed to be a small operation and so the number of infected systems had surprised Avast.
Retadup malware was first seen in 2017, which was a simple trojan in its initial phase that collected information about infected computers and sent the data to a remote server for further analysis. But now the malware had evolved in recent years, and it was running a crypto-mining scheme.
The infected hosts, collected data from infected hosts and dropped the good ol’ LNK files as part of its self-replication behavior. Besides, it also downloaded and ran a Monero miner.
As per the evidence collected from the seized servers, the Retadup gang made at least 53.72 XMR ($4,500 USD). The researchers doubt that this was only a small fraction of the gang’s historical profits.
One of the reasons the Retadup operation became so large was that 85% of all infected computers didn’t use an antivirus, thereby permitting the malware to operate unchecked and undetected.
Avast believes they have tracked the malware’s creator to a Twitter account who boasted about Retadup when its first reports was disclosed online back in 2017.
On tracking the Retadup author’s real identity, he is found to be a 26-year-old Palestinian. All these details will be forwarded to Avast and the associated law enforcement inquiry.