Joint effort neutralizes Retadup worm that infected 850k systems

A joint effort between security firm Avast and a French cybercrime unit C3N has taken down a malicious worm dubbed Retadup that has affected thousands of machines.

According to Avast, Retadup mostly impacts Windows systems throughout Latin America and looks to establish persistence on victim computers. The worm then spreads itself to other infected systems and installs additional malicious payloads, such as cryptocurrency malware. However, Avast more recently spotted Retadup distributing the Stop ransomware and Arkei password stealer.

Avast provided a summary of how they helped take down Retadup in a blog post:

“We shared our threat intelligence on Retadup with the Cybercrime Fighting Center (C3N) of the French National Gendarmerie, and proposed a technique to disinfect Retadup’s victims. In accordance with our recommendations, C3N dismantled a malicious command and control (C&C) server and replaced it with a disinfection server. The disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct. At the time of publishing this article, the collaboration has neutralized over 850,000 unique infections of Retadup.”

The security firm started closely watching Retadup in March 2019. After analyzing the activity, Avast contacted French authorities in late March after learning that most of the C&C systems were located in France.

In July 2019, the French cybercrime unit took down the C&C server and replaced it with a disinfection system. The new system was designed to make “connected instances of Retadup self-destruct”.