French cybercrime police have shut down a Monero botnet virus that had affected 850,000 computers across more than 100 countries. Called ‘Retadup’ and originating from Paris, the threat had utilized the combined power of close to a million Windows machines to mine the coin, representing a combined processing power of between 1-3 million GHz.
A replicating malware called #Retadup was infecting 850,000 computers running the Windows operating system. Our Threat Labs researchers, along with French @Gendarmerie authorities and the FBI, made it destroy itself.
Check out the full story ➤ https://t.co/8mTeDSruEv #malware
— Avast (@avast_antivirus) August 28, 2019
Remote Access Allows Monero Mining
Anti-virus company Avast first recorded Retadup in early 2018 and alerted French authorities to the software. The attack was monitored by the cyber division of the French National Gendarmerie and the US Federal Bureau of Investigation, who were able, following a tip off, to carry out a counterattack last week. This was successful and saw all impacted computers worldwide being disinfected, with the majority being located in Central and South America. It was revealed that Retadup worked by opening a backdoor on infected machines, allowing commands to be executed remotely by the attackers, often operating the mining software when users were typically not using their machines, such as at night.
Cryptojacking a Dying ‘Art’
Avast was instrumental in bringing the attack to an end, and detailed the process by which they managed it. Researchers at the company discovered a design flaw in the server communications protocol used by the attackers that could allow them to instruct the malware to delete itself, and since the Retadup malware’s servers were located in France they approached French authorities, who instructed police to arrest the hackers and seize the servers, which they did. With the servers in their hands, Avast replaced the malicious code with code that instructed any infected host connected to the server to delete itself. This, according to Avast, was a typical example of ‘cryptojacker’ malware, running almost without a trace, and with the only noticeable difference for the user being reduced hardware performance. Cryptojacking malware is however on the decline, with other more subtle and dangerous malware taking its place, meaning authorities will have to be increasingly on the alert in the coming months and years.