Avast has managed to take down the Retadup crypto-mining worm disinfecting more than 850,000 computers, with the help of French National Gendarmerie, the antivirus maker announced in a blog post.
The security researchers at Avast discovered a design flaw in the communications protocol of Retadup that allowed the team to remove the malware from the infected computers. They replaced the crypto-mining worm’s C&C (Command and Control center) with a disinfection server that caused the connected pieces of malware to self-destruct.
Since the C&C infrastructure of Retadup was located in France, the Avast team contacted French authorities to stop the malware botnet. The security researchers also contacted FBI becasue some parts of the C&C infrastructure was located in the U.S.
The team noted that the vast majority of infected computers were located in Latin America. 35% of Retadup hosts were found to be in Peru, and the remaining 85% of infected systems were located in Venezuela, Bolivia, Ecuador, Mexico, Colombia, Argentian, and Cuba.
The researchers also point out the botnet majorly targeted computers that had either two or four cores and were running on Windows 7. Also, 85% of victims didn’t have installed any 3rd-party Antivirus solution on their computer.
Retadup goes unnoticed?
Avast security experts were closely monitoring the Retadup activities since March 2019. However, the worm initially came up into notice in 2017 when TrendMicro published a bunch of articles on the malware. “The worm never got the attention it warranted from the security community,” writes a malware analyst at Avast who led the research.
In the initial phase, Retadup was a simple trojan that collected information about infected computers and sent the data on remote servers. However, after going unnoticed, Retadup evolved into a full-fledged crypto-mining botnet in the upcoming years. writes that the crooks collected at least 53.72 XMR (~$4,500 USD) from the infected computers.
Who is behind Retadup?
Its my baby <3 https://t.co/E2dy6Dmpna
— black joker (@radblackjoker) April 27, 2018
According to the Avast team, Ratadup belongs to a guy who bragged about creating Retadup and “ruling the world” on Twitter, after the initial reporting on the worm back in 2018.
in his profile, the hacker brags about his operations: pic.twitter.com/xsry9vz0Ww
— Under the Breach (@underthebreach) August 28, 2019
Although there have been no arrests by the police, security researchers from Under the Breach have claimed Retadup malware creator to be a 26-year-old Palestinian, reports ZDNet.
