Retadup is a malicious worm affecting Windows machines. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. However, in some cases, it has been observed distributing the Stop ransomware and the Arkei password stealer.
After finding the C&C infrastructure was mostly located in France, Avast reached out to the Cybercrime Fighting Center (C3N) of the French National Gendarmerie. The law enforcement agency obtained an image of the C&C server from the company providing hosting services to the cybercriminals, which allowed Avast to collect some data about the victims.
In July 2019, the Gendarmerie received the green light from the prosecutor, meaning they could legally proceed with the disinfection. They replaced the malicious C&C server with a prepared disinfection server that made connected instances of Retadup self-destruct. In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the C&C protocol design flaw.
Some parts of the C&C infrastructure were also located in the US. The Gendarmerie alerted the FBI who took them down, and on July 8 the malware authors no longer had any control over the malware bots.
The authors of Retadup decided to brag about their malware on Twitter. They created a Twitter account @radblackjoker and responded to Trend Micro’s research on Retadup.
its my worm here is the controller 😀— black joker (@radblackjoker) April 27, 2018
Iam just a noob miner 🙁 not a hacker 🙁 pic.twitter.com/1YY7DHR08f
|C&C domains (no longer malicious)|