Threat Labs researchers help neutralize 850,000 unique infections of Retadup
Avast researchers have worked with French and U.S. law enforcement to stop 850,000 infections by a “worm” – or malware that replicates – by causing the threat to destroy itself.
The worm, known as Retadup, has been distributing a malicious cryptocurrency miner and other malware to computers running the Windows operating system, mostly in Latin America.
“The cybercriminals behind Retadup had the ability to execute additional arbitrary malware on hundreds of thousands of computers worldwide,” said Jan Vojtěšek, a malware analyst at Avast who led the research. “Our main objectives were to prevent them from executing destructive malware on a large scale, and to stop the cybercriminals from further abusing infected computers.”
While analyzing Retadup, the Avast Threat Intelligence team identified a design flaw in Retadup that would allow removal of the malware from victims’ computers, with the takeover of the command and control (C&C) server. Retadup’s C&C infrastructure was mostly located in France, so the team worked with French authorities to stop the threat.
The worm’s malicious C&C server has been replaced with a disinfection server that has caused the connected pieces of malware to self-destruct.
Some parts of the C&C infrastructure were also located in the United States, so French authorities also included the FBI. Law enforcement took down the rest of the worm’s C&C infrastructure on July 8.
Avast Threat Intelligence has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.