A joint investigatory effort neutralized more than 850,000 unique infections of Retadup, a worm known for targeting Windows machines in Latin America.

In March 2019, Avast came across an interesting cryptomining payload that arrived with a advanced stealthy process hollowing implementation. The security firm decided to look into what means of distribution the cryptocurrency miner was using. This analysis led researchers to Retadup.

Spotted by Avast in previous campaigns, Retadup is a worm that tends to achieve persistence on victims’ computers. It then leverages those infections to expand its reach even further and to install additional malware payloads on the compromised host. Most of the time, this payload was a cryptominer, though researchers did spot the worm dropping STOP ransomware and the Arkei password stealer.

Avast’s analysis revealed something interesting about Retadup, particularly its command-and-control (C&C) infrastructure. As it explained in its research:

…[W]e found that while it is very prevalent, its C&C communication protocol is quite simple. We identified a design flaw in the C&C protocol that would have allowed us to remove the malware from its victims’ computers had we taken over its C&C server. This made it possible to put an end to Retadup and protect everyone from it, not just Avast users….

Realizing that Retadup’s C&C infrastructure was primarily based in France, Avast shared its findings with the Cybercrime Fighting Center (C3N) of the French National Gendarmerie at the end of March. It also proposed a disinfection plan in which it would take over the C&C server and abuse the design flaw to neutralize infections. The Gendarmerie liked the idea, so it opened a case on the worm, presented the disinfection scenario to a prosecutor and shared parts of a snapshot of the Retadup C&C server disk with Avast. These efforts helped the security (Read more...)