What Is Retadup and How Can It Jeopardize the Security of Your Passwords?

Retadup is one of the malware families that has never really managed to catch the attention of mainstream media the way Trickbot has, for example. This seems a bit strange because while it has never really been the most widely spread Windows worm around, there hasn't been any shortage of victims. There's no better proof of this than the fact that when security researchers from Avast collaborated with the French Police in taking over one of Retadup's Command & Control (C&C) servers, they managed to disinfect a whopping 850 thousand individual computers in a matter of minutes.

It was a massive success for the security community, but before we get to it, let's take a look at what Retadup is.

Retadup – a powerful downloader packed with clever features

One of the few security companies that have paid any significant attention to Retadup is Trend Micro which put out a few technical articles in 2017 and 2018. Back then, the malware was at the center of a number of different attacks against big and small targets, and it was used for anything from cryptocurrency mining to information theft.

More recently, Retadup caught the attention of Avast researchers, who said that quite a few users in South America were infected in the span of a few months. In this campaign, the malware was mostly used for downloading and activating a cryptocurrency miner, though the experts did point out that they also saw it distributing the Stop ransomware as well as the Arkei password stealer. Avast's researchers got hold of a few samples, analyzed them carefully, and they realized that with a little help from the relevant law enforcement agencies, they might just be able to deal a rather significant blow to the whole operation.

Avast teams up with the French Police to bring Retadup down

After closely monitoring how PCs infected with Retadup receive commands from the crooks' backend infrastructure, Avast's experts found out that, for all its sophistication, Retadup had a severe design flaw in the C&C communication protocol. If exploited, this flaw would have allowed the experts to run a disinfection script and remove Retadup (and all traces left by it) from the computers of hundreds of thousands of users. The only thing they needed was access to a C&C server located in France. To get it, they got in touch with the C3N – the cybercrime fighting unit of the French Police and asked for assistance.

The operation was rather delicate. Avast's experts had to have a closer look at everything that was on the C&C server before they could write and execute the script. At the same time, it was crucial that the malware operators have no idea what's going on. If they knew, they would have decided that if the Retadup operation is going to end, it's going to end with a bang, and instead of the relatively harmless cryptocurrency miner, they would have dropped ransomware on hundreds of thousands of computers. Stealth, therefore, was of utmost importance.

The hosting provider operating the C&C server created a snapshot of the hard drive and handed it over to the French Police who, in turn, relayed it to Avast's experts. This too sounds easier than it is. The hosting company had to create the snapshot without alerting the malware authors, and it also had to make sure that people's privacy is protected which meant giving Avast's researchers access only to specific parts of the C&C. When the experts analyzed the server, they saw traces of a malware infection. It turned out that ironically, Retadup's authors had been careless enough to infect themselves with another strain of malicious software.

A lot of hard work later, the disinfection script was done and it was put on a server that was supposed to replace the C&C and stop Retadup. Eventually, in July, the French Police received the necessary permissions, the servers were switched, and within seconds several thousand Retadup infections were removed. The rest of the C&C infrastructure was located in the US, which meant that the FBI had to get involved as well. After the servers were taken down, the malware's authors had no way of communicating with their worm.

Retadup is down, but is it out?

Compared to ransomware or an information theft operation, cryptocurrency mining will always be more of an inconvenience than anything else. Nevertheless, bringing down such a massive botnet of malware-infected devices is always good news. Unfortunately, it's still way too early to say whether Retadup is out for good.

If Avast's researchers can find the flaw in the communication protocol, so can the malware's authors. And if they fix it, rebuilding the C&C infrastructure, and restarting the operation shouldn't be too difficult.