Authorities Self-Destruct Cryptomining Worm After 850,000 Infections

The French National Gendarmerie and FBI have joined forces to stop Retadup, a malicious worm that has infected at least 850,000 Windows machines throughout Latin America, by making the threat destroy itself.

"The general functionality of this payload is pretty much what we have come to expect from common malicious stealthy miners," said Jan Vojtěšek, a malware analyst at Avast who led research into Retadup. "It decrypts an XMRig PE file in memory and injects it into a newly-created process via process hollowing. It also dynamically builds an XMRig config file, drops it to disk and passes it to the newly-created process. XMRig's donate level is set to 0 so as not to share any mining profits with XMRig developers."

The researchers noted that the malware avoids mining when taskmgr.exe is running so that it is harder for users to detect its increased CPU usage. The process that injects XMRig also acts as a watchdog and, should the injected worker process be terminated for any reason, the watchdog process spawns a new worker process to replace it.

"The objective of Retadup is to achieve persistence on its victims' computers," said Vojtěšek. "It does this by spreading itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. However, in some cases, we have also observed Retadup distributing the Stop ransomware and the Arkei password stealer."

The researchers started monitoring Retadup in March 2019, after a malicious Monero cryptocurrency miner caught their eye because of its advanced stealthy process hollowing implementation.

"We started looking into how this miner is distributed to its victims," said Vojtěšek, "and discovered that it was being installed by an AutoIt/AutoHotkey worm called Retadup. After analyzing Retadup more closely, we found that while it is very prevalent, its command and control (C&C) communication protocol is quite simple. We identified a design flaw in the C&C protocol that would have allowed us to remove the malware from its victims' computers had we taken over its C&C server. This made it possible to put an end to Retadup."

Avast shared their threat intelligence on Retadup with C3N, the Cybercrime Fighting Center of the French National Gendarmerie, as Retadup's C&C infrastructure was mostly located in France. The Gendarmerie also alerted the FBI, as some parts of the C&C infrastructure were located in the US, and both law enforcement agencies dismantled the respective infrastructure. In France, the C3N replaced the C&C server and with a disinfection server (that) responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct, while the FBI's actions meant C&C server's couldn't give mining jobs to bots and the malware authors no longer received financial gain from mining.

It turns out that over 85% of Retadup’s 850,000 victims had no third-party antivirus software installed. Some had it disabled, which left them completely vulnerable to the worm and allowed them to unwittingly spread the infection further.

Read the full report by Jan Vojtěšek.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.