Avast and French Police Remove Retadup Malware From 850,000 PCs

Retadup is a malicious worm affecting Windows machines. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. However, in some cases, it has been observed distributing the Stop ransomware and the Arkei password stealer.

After finding the C&C infrastructure was mostly located in France, Avast reached out to the Cybercrime Fighting Center (C3N) of the French National Gendarmerie. The law enforcement agency obtained an image of the C&C server from the company providing hosting services to the cybercriminals, which allowed Avast to collect some data about the victims.

In July 2019, the Gendarmerie received the green light from the prosecutor, meaning they could legally proceed with the disinfection. They replaced the malicious C&C server with a prepared disinfection server that made connected instances of Retadup self-destruct. In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the C&C protocol design flaw.

Some parts of the C&C infrastructure were also located in the US. The Gendarmerie alerted the FBI who took them down, and on July 8 the malware authors no longer had any control over the malware bots.

The authors of Retadup decided to brag about their malware on Twitter. They created a Twitter account @radblackjoker and responded to Trend Micro’s research on Retadup.

C&C domains (no longer malicious)
alphanoob[.]com
newalpha.alphanoob[.]com
newblackage[.]com
noobminer.newblackage[.]com
newminersage[.]com
newminer.newminersage[.]com
newage.newminersage[.]com
superuser.newminersage[.]com
superlover.newminersage[.]com
blackjoker.newminersage[.]com
superalpha.newminersage[.]com
newghoul2019.newminersage[.]com
radnewage[.]com
newage.radnewage[.]com
superalpha.radnewage[.]com
newghoul2019.radnewage[.]com
minernewage[.]com
newage.minernewage[.]com
mdwnte[.]com
rad2016.publicvm[.]com
hellothere.publicvm[.]com
radjoker2.publicvm[.]com
noobminer.publicvm[.]com
radpal.publicvm[.]com
newalpha.super-gamezer[.]com
roro2016.linkpc[.]net

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: