French Police Remotely Kill 850,000 Infections By Hijacking A Botnet

French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers.

French Police Remotely Kill 850,000 Infections By Hijacking A Botnet

The French police have set a record by hijacking and neutralizing a massive cryptocurrency mining botnet that was found to be controlling around a million infected computers. It was the notorious Retadup malware that infected the computers and started mining cryptocurrency sapping power from the processor. Initially, the malware was used to generate money, but the operators could have run other malicious code, spyware or ransomware. It also had properties as that of worms spreading from computer to computer.

The malware has spread across the U.S., Russia, and Central and South America and the successful bust were confirmed by the security firm, Avast. Avast was involved after discovering a design flaw in the malware’s command and control server. The researcher's comment that if the flaw was exploited, it would have helped remove the malware from the victim’s computer without pushing any code to them.

It could have dismantled the operation but lack of legal authority left them in the dark. As the malware infrastructure was in France, Avast contacted the French police. On receiving the consent of prosecutors in July, police started the operation to take control of the server as well as the infected systems.

According to the police, it was the largest botnet and one of the largest networks of hijacked computers in the world. The secret operation obtained a snapshot of the malware ‘s command and control server cooperating with its web host. It had to be a very careful operation without being detected by the malware operators fearing retaliation from them.

The malware authors were involved in cryptocurrency miner distribution making it a good passive income,” the security company stated. “The problem with the operation was keeping it secret and if ever they realized it was about to take down Retadup, they might push ransomware to thousands of computers thereby milk their malware for several last-minute profits.”

A word or two on Retadup malware and its proximity to computers. It is a malicious worm affecting Windows machines throughout Latin America. The major objective it has is persisting the victim’s computer spreading itself far and wide, and additionally install malware payloads on infected machines. In most of the cases, the payload is malware mining cryptocurrency on behalf of the malware authors. Retadup is found to be distributing Stop ransomware and the Arkei password stealer.

This is a new version coded in AutoHotKey, open-source scripting language being used in Windows to create hotkeys. It is relatively similar to AutoIt variants based and used for cybercrime and cyber espionage. The threat was identified from an organization that had a related malware artifact. On further analysis correlating them on their C&C protocol and previous Retadup detections, similar samples were sourced. The intention of the Retadup’s operators as of now is focusing on cybercriminal cryptocurrency mining.

The first step taken was building their own replica with the help of a copy of malicious command and control server and thereby disinfecting victim computers instead of causing them.

“Replacing the malicious server with the one prepared for a disinfected server making connected instances of Retadup self destruct,” claimed Avast.” Thousands of bots connected to it to fetch commands from the server in the first seconds of activity. This led to the disinfection server responding to them and thereby disinfecting them abusing the design flaw.”

The result was that the company could successfully stop malware from operating and remove the code from over 850,000 infected computers. By now the malware operators had generated millions of Euros worth of cryptocurrency, said Jean-Dominique Nollet, head of the French police’s cyber unit.

It is a tedious achievement to shut down a malware botnet but still a rare one. The US government had revoked Rule 41 allowing judges to issue search and seizure warrants out of their jurisdiction area. It was thought of as a move from the part of the FBI to conduct remote hijacking without any hindrance from a judge’s jurisdiction. But critics are making a huge ruckus about it claiming it would allow the number of computers getting hijacked with just a single warrant from a friendly judge.

This amended rule has been used to dismantle one major malware, the Joanap botnet that linked to hackers working for the North Korean regime. Cybersecurity is being targeted again and again by hackers and malware. This has put amending laws to help take action against the culprits. It is sure to have an impact on all the factors being of upfront importance.

What's Your Reaction?