French Authorities Neutralize RETADUP Botnet and Disinfects Over 850,000 Infected Computers
In a significant strike against cybercrime, the French National Gendarmerie has successfully dismantled one of the most pervasive botnets, the RETADUP malware, effectively disinfecting more than 850,000 computers globally. This operation unfolded in collaboration with security researchers from Avast, who detected a critical vulnerability within the botnet’s command and control (C&C) protocol.
Earlier this year, the Avast team monitored the RETADUP botnet’s activities and uncovered an inherent flaw in its communication structure. This flaw permitted a unique opportunity to remove the malware remotely, provided that researchers gained control over the botnet’s C&C server, located in the Ile-de-France region. By the end of March, Avast researchers reached out to the French Gendarmerie’s Cybercrime Fighting Center (C3N), presenting their findings and suggesting a covert operation to eradicate the RETADUP threat.
In July, French authorities took decisive action by seizing control of the C&C server. They replaced it with a specially designed disinfection server that exploited the previously identified design weakness. Consequently, the RETADUP malware instances on infected computers received commands to self-destruct. This initial connection drew several thousand bots that sought to receive commands, effectively leading to a large-scale disinfection.
As of the article’s publication, this collaborative effort has successfully neutralized hundreds of thousands of RETADUP infections. Jean-Dominique Nollet, head of the National Criminal Intelligence Service at Gendarmerie Nationale, stated that the disinfection server would remain operational for a few additional months to ensure that any remaining infected machines would connect and receive the necessary commands.
The operation extended beyond France’s borders; French police collaborated with the FBI after identifying components of the RETADUP infrastructure in the United States. The FBI dismantled these components on July 8, cutting off the malware authors’ ability to control the botnet. As a result, the infected bots were no longer able to execute mining jobs, significantly impacting the financial benefits the cybercriminals derived from exploiting victims’ computing power.
Originally developed in 2015, the RETADUP malware primarily targeted computers in Latin America. It is designed not only to mine cryptocurrencies but also to launch DDoS attacks and gather sensitive information. Various strains of RETADUP have been found to install payloads such as the Stop ransomware and Arkei password stealer. The analysis of the seized C&C infrastructure further revealed the connection to an AutoIt RAT called HoudRat, a more sophisticated and less prevalent variant of RETADUP, capable of extensive malicious activities.
Employing tactics from the MITRE ATT&CK framework, this operation showcases techniques such as initial access via C&C remote manipulation and persistence through the malware’s ability to inhabit infected machines. The collaborative nature of this effort underscores the importance of proactive international partnerships in combating the evolving landscape of cybersecurity threats.
As this operation exemplifies, awareness and decisive action against cyber threats remain crucial for business owners, who must continue to safeguard their networks against attackers leveraging sophisticated malware like RETADUP. Each success in neutralizing such threats strengthens the wider defense against cybercrime.
