Antivirus maker Avast and the French National Gendarmerie announced today that they’ve taken down the backend infrastructure of the Retadup malware gang.
Furthermore, as a result of gaining access to this infrastructure, Avast and French authorities used the criminal gang’s command and control (C&C) servers to instruct the Retadup malware to delete itself from infected computers, effectively disinfecting over 850,000 Windows systems without users having to do anything.
Most Redatup victims were located in Latin America
The antivirus maker said that all of this was possible after its malware analysts began looking into the malware with a fine comb back in March.
Avast researchers discovered a design flaw in the C&C server communications protocol that could allow them to instruct the malware to deleting itself.
Since the Redatup malware’s C&C servers were located in France, Avast approached French authorities, who agreed to help, and seized the crooks’ servers.
Once Avast and French officials had the Redatup servers in their hands, they replaced the malicious ones with copies that instructed any infected host which connected to the server to delete itself.
Based on telemetry Avast collected starting with July 2, when they first took over malware’s servers, the vast majority of Redatup-infected computers were located in Latin America.
Peru accounted for nearly 35% of all infections, but when researchers added infection numbers from Venezuela, Bolivia, Ecuador, Mexico, Colombia, Argentian, and Cuba, just these nine countries accounted for 85% of the entire Redatup botnet.
In total, over the course of 45 days, from July 2 to August 19, Avast said that more than 850,000 infected systems connected to the Retadup C&C servers seeking new instructions from the malware’s operators.
Redatup — from small-time worm to cryptominer
The number of infected hosts surprised Avast, as the malware was thought to have been a small operation.
The malware was first seen in 2017, and in its initial phase it was an simple trojan that collected information about infected computers and sent the data to a remote server for further analysis.
The most notable thing about its first versions was a worm-like self-spreading behavior that relied on dropping boobytrapped LNK files in shared drives in the hopes that other users would run the files and infect themselves.
But in a technical report released today, Avast said that Redatup had evolved in recent years, and the malware was now running a crypto-mining scheme.
Redatup infected hosts, besides collecting data from infected hosts and dropping the good ol’ LNK files as part of its self-replication behavior, would also download and run a Monero miner.
Evidence collected from the seized servers showed the Redatup gang made at least 53.72 XMR (~$4,500 USD); however, researchers suspect this is only a small fraction of the gangs historical profits.
In some campaigns, the malware was also seen being used as a launching pad for the STOP ransomware and Akei password stealer, suggesting the hackers were actively selling “installspace” on infected hosts to other malware gangs.
Avast said one of the reasons the Redatup operation grew so large was that 85% of all infected computers didn’t run an antivirus, allowing the malware to operate unchecked and undetected.
Redatup author bragged on Twitter
No arrests have been made in this case; however, Avast believes they’ve tracked the malware’s creator to a Twitter account who bragged about Redatup when the first reports emerged online about its activity back in 2017.
French authorities also received help from the FBI after Avast found that some parts of the Redatup infrastructure was also hosted in the US. Those servers have also been taken down and Avast said the Redatup creators lost complete control over their botnet on July 8, after the FBI intervened.