Cybersecurity expert JAMESWT: The link in the message downloads a zip with a URL pointing to an SMB, which downloads and executes the malware. Same TTP as the “Revenue Agency” campaign in Italy.
France, United States and Avast cooperated to dismantle the cybercrime the Retadup cryptomining worm. It controlled over 850,000 computers, mainly in Latin America, to create Monero
Cybercrime gang behind the Retadup botnet has been dismantled by French police have. Thanks to the malware, the crooks took control of more than 850,000 computers, mainly in Latin America. The operation started after an alert by Avast cyber security firm. The company found that the worm was being controlled by a server in the Paris region. The C3N cybercrime unit at the French gendarmerie carried out the counterattack with help from the US Federal Bureau of Investigation (FBI). This, because some parts of the C&C infrastructure were also located in the United States. Police first made a copy of the server orchestrating the attack, which allowed them to then hack into it and surreptitiously take control. They then ordered all the infected computers to uninstall the Retadup malware, which said was allowing the malicious hackers to create the Monero cryptocurrency.
The cyber security expert: how the malware works
According to the cyber security experts, there are many different variants of Retadup. The core is written in either AutoIt or AutoHotkey. In both cases, it consists of two files: the clean scripting language interpreter and the malicious script itself. The core first, it checks if another instance of the malware is already running. If it is, then it exits silently so that only a single instance of the malicious code is running at any given time. Then it makes some basic checks to see if it is being analyzed. If it detects that it is under analysis, it also exits silently. Subsequently, it achieves persistence and attempts to spread itself. Finally, it enters an infinite loop in which it regularly polls the cybercrime C&C server for commands and if it receives a command from the C&C, it executes a handler for the received command.