Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Police Trick Malware Gang Into Disinfecting 850,000 Systems

Retadup Gang's Malware Scheme Disrupted by French Police and Security Firm Avast
Police Trick Malware Gang Into Disinfecting 850,000 Systems
A map showing the amount of neutralized Retadup infections per country (Source: C3N, Avast)

French police say they have disrupted the operations of the Retadup malware gang by subverting attackers' command-and-control infrastructure to delete the malicious code from 850,000 infected PCs and servers worldwide. The move came after police received a tip and technical assistance from Czech security firm Avast.

See Also: How to Build Your Cyber Recovery Playbook

Windows PCs and servers across more than 140 countries had been infected, with the majority of infections found in Latin America. Infected devices were being used to mine for monero cryptocurrency, police say. They estimate that the gang was earning at least several million dollars in illegal proceeds annually, much of it from stealthy, passive mining operations.

"We managed to clean more than 850,000 machines that were infected by the Retadup virus," Col. Jean-Dominique Nollet, who heads French cybercrime investigation agency C3N, tells media outlet Inter France.

Nollet's C3N team of "cybergendarmes" is part of France's National Gendarmerie - one of two national French police forces - which is part of the country's armed forces and under the jurisdiction of the Ministry of the Interior.

Most botnet disruption operations involve sinkholes, which redirect infected endpoints to dead ends, rather than attacker-controlled servers. While systems may remain infected, the attack code gets neutered.

In a rare manuever, police didn't sinkhole infected systems' communications. Instead, they deleted the attack code completely. "You can imagine our satisfaction to have succeeded to remove the viruses from the computers of the victims, who at first did not even know that their machines were infected," Nollet said.

Avast Tips Off French Police

The disruption effort began after Avast in March traced back a rise in stealthy cryptocurrency mining infections to variants of a worm called Retadup, written in both AutoIt and AutoHotkey scripts. Researchers began studying the command-and-control communications being used to control infected endpoints, or bots, says Jan Vojtesek, a malware researcher at Avast, in a research report.

"After analyzing Retadup more closely, we found that while it is very prevalent, its C&C communication protocol is quite simple," he says. "We identified a design flaw in the C&C protocol that would have allowed us to remove the malware from its victims’ computers had we taken over its C&C server."

Avast alerted France's national cybercrime investigation team, C3N, that servers in France appeared to be hosting the majority of the command-and-control infrastructure for distributing and controlling the Retadup worm - in other words, self-replicating malware. Avast also shared a technique that it thought might allow authorities to neutralize existing infections.

Retadup Debuted in 2016

Retadup's day of reckoning was nearly three years in the making. The malware was first spotted in 2016. It was the subject of technical investigations by Trend Micro in 2017 and 2018, which drove the worm's developer or developers to brag about their creation on the Twitter account @radblackjoker.

"A tweet by Retadup’s author showing a screenshot of the malware’s control panel," according to Avast's report. "Note that since there were multiple variants of Retadup (each with its own separate control panel), this control panel displays information about only one variant of Retadup, so the real number of bots is much higher than what is shown here."

"At first, we had some doubts about the legitimacy of this Twitter account, but after we obtained the source code of Retadup’s C&C components, it became clear that this screenshot, and consequently the Twitter account, were genuine," Avast's Vojtesek says.

Retadup has been tied to the large-scale distribution of cryptocurrency mining software, but in some cases also the Stop ransomware variant as well as the Arkei password stealer, Avast says. Trend Micro, for example, has traced the malware to infections in hospitals in Israel that resulted in the theft of Israeli patient data.

Police say systems infected with Retadup included Windows servers as well as endpoints running Windows XP, 7, 8 and 10. "The PCs were infected very classically: a click on a link in an email, suggesting a way to make easy money, or seeing erotic pictures, etc." Nollet said. "Another very common way of spreading the virus: infected USB sticks."

Researchers Reverse-Engineer Botnet Controller

With the cybercrime threat intelligence from Avast in hand, C3N, working with the Paris prosecutor's office - which oversees cybercrime investigations - opened a case and secured judicial cooperation from the FBI. In July, authorities seized control of the servers in both France and the U.S. and began working with Avast to study how they worked.

Avast notes that the malware-eradication effort did not involve executing any arbitrary code on victims' systems. "While it is often possible to clean malware infections by taking over a C&C server and pushing a 'malware removal' script to the victims through the malware’s established arbitrary code execution channel, the design flaw we found did not involve making the victims execute any extra code," Vojtesek says.

One complicating factor was that after French police obtained a snapshot of the C&C server's hard drive and shared controller code - but no victim information - Avast says it had to reverse-engineer the controller and develop a tracker for infected endpoints without tipping off the Retadup gang.

"If they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits," Vojtesek says.

Gang's Own Server Infected With Malware

Studying the C&C server, Avast's researchers made several interesting discoveries.

For starters, the gang was using XMRig Proxy to proxy traffic between infected endpoints doing mining, and mining pools, to make the mining look more legitimate. "It consolidates traffic from multiple bots, so to the mining pool it seems like there’s only a couple of workers," Vojtesek says. "Infecting hundreds of thousands of unwitting victims probably wasn’t devilish enough."

In addition, every executable file on the server appeared to have been accidentally infected by another piece of malware called Neshta fileinfector. "The authors of Retadup accidentally infected themselves with another malware strain. This only proves a point that we have been trying to make - in good humor - for a long time: Malware authors should use robust anti-virus protection," Vojtesek says.

The same goes for victims. While Avast didn't receive victim data from French police and couldn't conduct a full digital forensic analysis on the server, it did receive aggregated information about infected systems, which revealed that a majority of victims were running Windows 7 systems.

Source: Avast

"Over 85 percent of Retadup’s victims also had no third-party anti-virus software installed," Vojtesek says. Still, that figure doesn't indicate how many may have been using anti-virus software that is built into the Windows operating system, and which is on by default in Windows 8 and 10, in the form of Windows Defender.

Regardless, "some also had it disabled, which left them completely vulnerable to the worm and allowed them to unwittingly spread the infection further," Vojtesek says.

While 850,000 systems being cleaned of Retadup is obviously good news, police say their investigation is ongoing, and they have yet to reveal any suspected perpetrators. Furthermore, many such operations are run from Russia or neighboring countries that lack extradition agreements with countries such as the U.S and France.

In other words, the Retadup-using gang may well reboot operations. "Unfortunately, we know they can recreate this kind of hacker server at any time," Nollet tells Inter France.

Even so, “this severely impacted the cybercriminals' operation," Vojtesek tells Information Security Media Group. "They lost control of all the bots" and if they try again, must "start from scratch." And he promises that security experts will be keeping a close eye on any such attempts.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.