Avast and French authorities have now dismantled the nasty Retadup botnet.
With the advent of cryptocurrencies, we have seen a gold rush surrounding them, particularly because of the opportunities Bitcoin once presented. This has also resulted in black hats exploiting the ecosystem to illegally mine certain cryptocurrencies as it directly translates to cash. One such incident recently surfaced.
Since March, the cyber security firm Avast had been investigating a dangerous botnet called Retadup which was being used to mine Monero cryptocurrency as well as to launch the STOP ransomware and Arkei password stealer. However, it had not found any major breakthrough.
This changed when the firm recently detected a design flaw in the malware’s Command & Control center (C&C) protocol which could allow them to remove the malware from infected computers without having to edit the actual code. However, there was a problem. The C&C center was hosted with a service based in France and to access it for taking it over was not possible by themselves.
Hence, the researchers alerted the Cybercrime Fighting Centre (C3N) of the French National Gendarmerie with a plan to neutralize the victims infected by the malware. What followed was the Frenchmen presenting the case at hand to a prosecutor while Avast created a tracker program which would alert them of the creation of any new variants of the malware or the distribution of new malware altogether.
Moreover, the executory plan proposed was tested locally to identify any risks associated with it. As described by the researchers themselves,
“The Gendarmerie also obtained a snapshot of the C&C server’s disk from its hosting provider and shared parts of it with us so we could start to reverse engineer the contents of the C&C server. For obvious privacy reasons, we were only given access to parts of the C&C server that did not contain any private information about Retadup’s victims. Note that we had to take utmost care not to be discovered by the malware authors (while snapshotting the C&C server and while developing the tracker), Avast said in a blog post.
“Up to this point, the malware authors were mostly distributing cryptocurrency miners, making for a very good passive income. But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”
The results of infiltrating the server were ironic as they can get, at least in the cyber-security community. The malware itself was found to have been infected with another malware called the Neshta Fileinfector – can’t blame the hackers since they ideally would not like anti-malware software.
Moving on, the prosecutors allowed the French National Gendarmerie to proceed with the plan. Hence, the execution stage had begun. The disinfection server then replaced the malicious C&C server resulting in over 850,000 bots connecting to it for fetching instructions and thereby being disinfected.
Nonetheless, to hope that the botnet was restricted to France would be wishful thinking. It has spread through Latin America, Russia, and the USA with even some parts of the C&C infrastructure being found in the latter upon which the FBI had been informed resulting in those parts being successively taken down.
Currently, the disinfection server will be kept online for a few months so that a certain segment of the infected users can connect to it – they have not done so till now due to either being offline or having connectivity problems as reported by the head of the National Criminal Intelligence Service at the French National Gendarmerie.
The takeaway from this episode is that users regardless of their expertise level need to install security software aimed at protecting their computer systems. By doing so, not only do you save yourself from wasting your computer power earning cash for someone else as seen above but also can be at ease knowing your data is secure.
This reminder is even more essential with it being discovered that over 85% of the victims had no anti-virus installed which means that the absence of one single program resulted in their compromise.
This is not the first time in recent years when authorities have taken down a sophisticated botnet in a snap. Previously, Kelihos, Andromeda, VPNFilter, Mirai, Andromeda, and WireX were some among several nasty botnets seizes and dismantled by authorities and cyber security giants.
If you are online you are under threat. To avoid becoming a victim of such botnets make sure your system/mobile device is up to date and being scanned with reliable anti-virus software on a regular basis. Stay safe online!