Antivirus maker Avast and the French National Gendarmerie recently declared that they’ve taken down the infrastructure of the Retadup malware gang.
Also, as a result of obtaining access to the malware set-up, Avast and French authorities used the criminal gang’s command and control (C&C) servers for instructing the Retadup malware to destruct itself from affected systems, effectively disinfecting over 850,000 Windows systems without users having to do anything.
The antivirus maker said that all of this was possible after its malware analysts started looking into the malware with a fine comb back in March. Avast researchers discovered a design flaw in the C&C server communications protocol that could let them instruct the malware to destroy itself.
Since the Retadup malware’s C&C servers were set up in France, Avast approached French authorities, who agreed to help, and seized the crooks’ servers. Avast and the French authorities replaced the malicious ones with copies that instructed any infected host which connected to the server to delete itself, once they had the malware servers in their hands.
Based on telemetry Avast collected beginning with July 2, when they first took over malware’s servers, the vast majority of Retadup-infected computers were located in Latin America. Over 45 days, from July 2 to August 19, according to the antivirus maker, more than 850,000 infected systems connected to the Retadup C&C servers seeking new instructions from the malware’s operators.
In some campaigns, the malware was also observed being used as a launching pad for the STOP ransomware and Akei password stealer, suggesting the hackers were actively selling “installspace” on infected hosts to other malware gangs.
Avast reported that the main reason the Retadup operation grew so wide was that 85% of all infected computers didn’t have an antivirus, allowing the malware to operate unchecked and undetected.