Retadup taken down globally by Avast, FBI and Gendarmerie

The Retadup worm has been neutralised globally after 850,000 infections – including a number in Australia.

Having been detected by Avast, the French Gendarmerie managed to stop the spread of the malicious Windows infection, in collaboration with the FBI.

The worm, known as Retadup, has been distributing a malicious crypto-currency miner and, in isolated cases, delivering the Stop ransomware and Arkei password stealer to victims’ computers.

The malicious command and control (C&C) server has been replaced with a disinfection server that has caused the connected pieces of malware to self-destruct.

During their analysis, the Avast Threat Intelligence team discovered that Retadup primarily spreads by dropping malicious LNK files onto connected drives, in the hope that people will share the malicious files with other users. The LNK file is created under the same name as an already existing folder, with text such as “Copy fpl.lnk” appended to it. This way, it attempts to trick users into thinking they are opening their own files, when in reality they are infecting themselves with malware. When executed on a computer, the LNK file runs Retadup’s malicious script. 

“The cybercriminals behind Retadup had the ability to execute additional arbitrary malware on hundreds of thousands of computers worldwide,” says Jan Vojtěšek, Reverse Engineer at Avast. “Our main objectives were to prevent them from executing destructive malware on a large scale, and to stop the cybercriminals from further abusing infected computers.”