Thought leadership. threat analysis, news and alerts.
French Authorities and Avast Take Down One of the World’s Biggest Botnets
French authoritiesand antivirus solution provider Avast have jointly taken down the Retadupbotnet, considered as one of the world’s largest botnets affecting nearly a million computers worldwide.
Avast, in a blog post, announced that itscollaboration with French authorities resulted in the neutralization of the Retadup botnet, a group of computers infected with a malicious software (malware), in this case, a malware called “Retadup” and controlled by an attacker or attackers for malicious activities. As part of its threat intelligence research, Avast said it started closely monitoring the activity of the Retadup malware in March 2019.
Avast found that the computers infected with the Retadupmalware and that formed part of the Retadupbotnet were mostly abused to mine the cryptocurrency called “Monero”. In cryptocurrency mining, malicious actors earn cryptocurrency by stealing the computing power of someone else’s computer.
In few cases, Avast observed that Retadup was used in distributing the ransomware called “Stop”, a type of malware that’s purposely created to block legitimate users to a computer system or data until a ransom is paid. In other few cases, Avast also observed that Retadup was used in distributing Arkei, a malware that steals passwords.
Avast said its research showed that Retadup’s command-and-control (C&C) infrastructurewas mostly located in France and as such,it contacted theCybercrime Fighting Center (C3N) of theFrench National Gendarmerie.C&Cinfrastructurerefers to a server or servers used to communicate and remotely control computers compromised by a malware, in this case, the Retadupmalware.
As of late August, this year, Avastsaid that, in the collaboration with C3Nand with the permission from the office of the public prosecutor in France, Retadupmalware was taken down from 850,000compromised computers mostly located in Spanish-speaking countries in Latin America.
Retadup malware first appeared in mid-2017 stealing information in Israeli hospitals. According to Trend Micro, the organization that first reported about this malware in June 2017, this malware is notable for its propagation and stealth capabilities.
Trend Micro said the original Retadup malware infects computers via an executable file that masquerades as another file type, such as shortcut files for browser, Windows updaters and a web 3D creation tool. For example, it’s delivered on the vulnerable computer as WinddowsUpdater.zip, mimicking the legitimate updater file which is WinddowsUpdater.exe.
A computer becomes infected with Retadup malware when the file that masquerades as another file type is clicked. According to Trend Micro, it’s unclear how these executable files containing the Retadup malware arrive on the computers of the victims.
Once inside an infected computer, this malware then checks for specific antivirus and analytics tools. The malware self-destructs when it detects the presence of specific antivirus and analytics tools.
In stealing information, Trend Micro said the original Retadup malware routinely records every keystroke made by a computer user, takes screenshots and extracts passwords from web browsers. The Retadup malware is also a worm, which means that this malware has the ability to spread itself within networks without user interaction.
In September 2017,Trend Microdetected a new version of Retadup malware, this time, infecting specific industries and governments in South America and controlling these infected computers as a botnet, stealing the computing power of these infected computers to mine the cryptocurrency Monero. As of September 2017, Trend Micro said the malicious actor or actors behind Retadup botnet earned 314 Monero coins, worth US$36,000 as a result of the illicit cryptocurrency mining.
Since the discovery of the Retadup malware in June 2017, this malware has evolved into different versions. Most of these versions, however, retain the original features, such as the worm capability and stealth capabilities. According to Avast, the most recent version of Retadup malware, avoids cryptocurrency mining on the infected computers when taskmgr.exe is running in order to make it harder for users to detect increased CPU usage.
With the permission from the office of the public prosecutor in France and with the technical assistance of Avast, the Cybercrime Fighting Center of the French National Gendarmeriedismantled the command and control server of the Retadup malware and replaced it with a disinfection server. This disinfection server, Avast said, made it possible for the self-destruction of the Retadup malware on the infected computers forming the Retadup botnet.
To date, while the Retadup botnet is neutralized as a result of the collaboration of the office of the public prosecutor in France, Avast, and the Cybercrime Fighting Center of the French National Gendarmerie, the creator or creators of Retadup, however, remain at large as no arrest or arrests have been made as a result of the operation.
Threat Mitigation & Prevention
Botnets are a threat to the online community. As shown by the Retadup botnet, it can wreak havoc via cryptocurrency mining, ransomware and stealing information. Other botnets, like the Mirai botnet, had in the past brought down the internet in certain parts of the world via distributed denial-of-service (DDoS) attack.
Here are some cyber security measures in order to protect your organization’s computers or devices from being infected with malware and making them part of a botnet:
When you need help with threat mitigation, audits and prevention, connect with our cybersecurity experts.
Steve E. Driz, I.S.P., ITCP