Late last month, ZDNet reported that cybersecurity company Avast turned the tables on a black hat hacker with the help of French authorities. The firm’s operators successfully subverted the Retadup malware to disinfect the computers of 850,000 people. As a result, investigators shut down an illicit international cryptocurrency mining scheme.
In March, Avast opened an investigation into Retadup. First detected in 2017, the Trojan malware infected host systems, collected user data, and transmitted it to a remote location. The program also had a knack for self-replication. It deposited LNK files into any shared drive it encountered. Over time, the worm’s designers altered its function to work together and covertly mine a digital coin called Monero.
During its Retadup inquiry, Avast’s data scientists discovered that the malware’s remote server was located in France. The group also found a communications protocol vulnerability in the hacker’s command-and-control framework. Subsequently, the operators contacted the French National Gendarmerie and the organization dispatched officers to seize the Retadup server.
At that point, Avast and French authorities worked together to repurpose the malware. Data scientists replaced the program’s code with instructions to self-destruct. From July 2 to August 19, the malicious server sent out commands to remove the Trojan from more than 850,000 systems.
Always Use an Antivirus
While disinfecting nearly 1 million compromised systems, Avast learned more about the Retadup creators’ operation. Data scientists discovered from the French server taken by the Gendarmerie that the malware’s designers mined 53.72 Monero (around $4,500). However, investigators believe that amount only represents a fraction of the criminals’ total profits.
In the past, cybersecurity experts have found hackers using Retadup as a delivery system for ransomware. Accordingly, Avast believes that the Trojan’s creators sold access to infected systems to other black hat hackers.
The bad actors mainly targeted vulnerable systems in South America. Data scientists discovered that the majority of the infected machines were located in Argentina, Bolivia, Colombia, Ecuador, and Peru. Investigators also found the worm conducting those operations from computers located in Cuba, Mexico, and the United States.
Avast’s investigators also found another commonality between the infested systems. Specialists determined that 85 percent of the computers used in the Retadup botnet had no antivirus program installed. That lack of proper cybersecurity protection allowed the malicious program to spread and thrive.
After completing the Retadup disinfection, another cybersecurity firm may have possibly identified the malware’s designer.
In conducting its investigation, Avast determined that the designer of the widely spread malware operated a Twitter account with the handle @radblackjoker. The owner of the account brazenly claimed responsibility for creating the popular Trojan in a series of 2017 tweets. Cybersecurity company Under the Breach analyzed Avast’s Retadup report and used it to find the hacker’s domain registry information.
Under the Breach subsequently used its findings to locate a Facebook page potentially belonging to @radblackjoker. The user’s profile, which belongs to a 26-year-old Palestinian, contains the same information as the domain registry and lots of bragging about Retadup’s success. After confirming the data, the cybersecurity firm passed its findings onto Avast and the proper authorities.
While the recent proliferation of cyberattacks is unnerving, it’s heartening to know that investigators can bring hackers to justice.