Threat Research

Avast collaborates with France and U.S. to stop cryptomining worm

Avast Security News Team, 28 August 2019

Threat Labs researchers help neutralize 850,000 unique infections of Retadup

Avast researchers have worked with French and U.S. law enforcement to stop 850,000 infections by a “worm” – or malware that replicates – by causing the threat to destroy itself.

The worm, known as Retadup, has been distributing a malicious cryptocurrency miner and other malware to computers running the Windows operating system, mostly in Latin America. 

“The cybercriminals behind Retadup had the ability to execute additional arbitrary malware on hundreds of thousands of computers worldwide,” said Jan Vojtěšek, a malware analyst at Avast who led the research. “Our main objectives were to prevent them from executing destructive malware on a large scale, and to stop the cybercriminals from further abusing infected computers.”

While analyzing Retadup, the Avast Threat Intelligence team identified a design flaw in Retadup that would allow removal of the malware from victims’ computers, with the takeover of the command and control (C&C) server. Retadup’s C&C infrastructure was mostly located in France, so the team worked with French authorities to stop the threat. 

The worm’s malicious C&C server has been replaced with a disinfection server that has caused the connected pieces of malware to self-destruct.

Some parts of the C&C infrastructure were also located in the United States, so French authorities also included the FBI. Law enforcement took down the rest of the worm’s C&C infrastructure on July 8. 

Read a deep-dive description of the Avast Threat Intelligence team’s research into Retadup on Decoded, Avast's tech blog.