A French and U.S. law-enforcement effort has neutralized 850,000 infections by a cryptomining worm known as Retadup, by causing the threat to destroy itself.
The worm has been distributing the malicious XMRig cryptocurrency miner to computers running the Windows operating system, mostly in Latin America.
The general functionality of the mining payload is fairly standard, according to Avast, which led the research into the threat and assisted the authorities in the defense effort.
“It decrypts an XMRig PE file in memory and injects it into a newly created process via process-hollowing,” Avast’s Wednesday write-up explained. “It also dynamically builds an XMRig config file, drops it to disk and passes it to the newly created process. XMRig’s donate level is set to 0 so as not to share any mining profits with XMRig developers.”
It’s more interesting in terms of stealth and maintaining persistence. The malware avoids mining when taskmgr.exe is running so that it’s harder for users to detect the increased CPU usage caused by the mining activity. The process that injects XMRig also acts as a watchdog, Avast researchers found, so if the injected worker process is terminated for any reason, the watchdog process spawns a new worker process to replace it.
One interesting aspect of the malware’s code is the type of process-hollowing the authors used — a harder-to-implement technique that allows the authors to bypass security solutions.
“Process-hollowing is often implemented by calling higher-level functions such as WriteProcessMemory or NtMapViewOfSection,” researchers explained. “[This] miner opts for an extra stealthy way of using system calls directly.”
The typical approach of using undocumented functions exported from ntdll (such as NtUnmapViewOfSection) to achieve process injection is often detectable by endpoint security solutions, the researchers noted. However, by loading a second copy of ntdll into memory and exporting call functions through that, it’s often possible to get around this obstacle.
“The idea behind this is that the new copy of ntdll (which is often read directly from disk) might not contain the hooks that the original copy did contain, so that security software might not see which functions the malware called,” the researchers explained.
Potential for Much Worse
Beyond the miner, however, the worm’s C2 also contained the ability to push additional malware to infected hosts – a concerning capability given the sheer scale of the infection, well into the hundreds of thousands.
“The C2 server also contained a .NET controller for an AutoIt RAT called HoudRat,” according to the analysis, noting that HoudRat is capable of executing arbitrary commands, logging keystrokes, taking screenshots, stealing passwords, downloading arbitrary files and more.
“The cybercriminals behind Retadup had the ability to execute additional arbitrary malware on hundreds of thousands of computers worldwide,” said Jan Vojtěšek, a malware analyst at Avast. “Our main objectives were to prevent them from executing destructive malware on a large scale, and to stop the cybercriminals from further abusing infected computers.”
The Takedown
While analyzing Retadup, the Avast Threat Intelligence team identified a design flaw in Retadup that would allow removal of the malware from victims’ computers with the takeover of the command-and- control (C2) server, located in France. French law enforcement and Avast researchers replaced the malicious C2 server with a disinfection server that has caused the connected pieces of malware to self-destruct.
“In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server,” according to Avast. “The disinfection server responded to them and disinfected them, abusing the [C2] protocol design flaw.”
Some parts of the C2 infrastructure were also located in the U.S., researchers explained.
“The Gendarmerie alerted the FBI who took them down, and on July 8 the malware authors no longer had any control over the malware bots,” the firm noted. “Since it was the C2 server’s responsibility to give mining jobs to the bots, none of the bots received any new mining jobs to execute after this takedown. This meant that they could no longer drain the computing power of their victims and that the malware authors no longer received any monetary gain from mining.”
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.