Multi-License Discount Quote

Change Region

English Português
Threat Database Botnets Retadup

Retadup

By GoldSparrow in Botnets
Translate To:

Worm.Retadup is a malware threat that attacks Windows computers with the purpose of installing additional malicious payload on them. As the name suggests, Retadup is a type of worm that spreads far and wide without human interaction, achieving at the same time its persistence on affected machines. In the prevalent amount of the analyzed cases, Retadup drops a cryptocurrency mining malware on the targeted devices. In some cases, researchers have also observed the worm distributing the Stop Ransomware and the Arkei password stealer. Retadup was exposed around two years ago, back in 2017, when it was caught stealing information from hospitals in Israel. Several months later, a new variant of Retadup hit businesses and government institutions in South America. In August 2019, cybersecurity researchers have shared the details of a separate Retadup campaign in which vulnerable devices have been targeted with a Monero cryptocurrency miner named XMRig.

The new Retadup activity came into researchers' radars in March 2019 when XMRig caught the attention with its advanced detection evasion abilities. One of the ways in which XMRig is able to remain unnoticed is by not using all of the infected device's CPU power. Also, the crypto miner stops mining whenever Task Manager is running so that the user would not notice the spikes in the CPU usage. Further research into the distribution channels of this cryptocurrency miner led back to the Retadup worm which was being used to deliver XMRig, mostly to machines located in Spanish-speaking countries in Latin America. A profound analysis of Retadup followed, revealing that most of the worm's Command-and-Control (C2) infrastructure was located in France. Therefore, the cybersecurity company that was working on that threat contacted the French National Gendarmerie and proposed a joint disinfection strategy to neutralize the campaign. As a result, the cybercriminals' server was taken down and replaced with a disinfection server which responded to requests coming from connected bots, eventually causing connected instances of Retadup to self-destruct. By the end of August 2019, over 850,000 devices connected to the attackers' C2 server have been neutralized, and respectively, their resources are no longer abused for fraudulent monetary gain.

Retadup Is Written in Either Autolt or Auto-Hotkey

Many different variants of Retadup worm exist, however, they all have similar functionalities and differ only in the way these functionalities are implemented. The core of the worm can be written in either Autolt or Auto-Hotkey, yet in both cases, it consists of two files - the clean scripting language interpreter and the malicious script itself. In Retadup variants that have their core written in Autolt, the script is first compiled and then distributed, whereas in Auto-Hotkey variants the script is distributed as source code. The core of most Retadup variants follows the same workflow. The first thing it does is to check whether another instance of the worm is already running on the target machine. If that is the case, Retadup exits silently, leaving only one version of the malware on the device at any time. The worm also has the ability to check whether it is being analyzed, and it exits in such cases as well. Then, the worm achieves persistence and tries to spread to other connected devices, before entering an infinite loop in which it regularly sends command requests to the Command-and-Control server and executes any received commands. In the meantime, Retadup keeps performing attempts to spread itself and to restore its persistence.

The list of commands that Retadup receives and executes is rather short as the malware authors probably wanted to keep it simple:

  • Command "Update" replaces an old variant of Retadup with a newer one

  • Command "Download" downloads and runs an additional payload

  • Command "Sleep" causes the worm to freeze for a specified period of time

  • Command "Updateself" makes the malware mutate itself polymorphically


Technical Details

All Retadup variants perform some anti-analysis checks, though they differ in their specific implementation. Almost all samples check first the file system path on which they are running, and their malicious script does not execute if either the interpreter path of the script path is not as expected. Most of the analyzed Retadup samples also have some means to delay their execution by performing either a series of many short sleeps, or one single long sleep. Then, some variants check for running processes with names like "procmon.exe" or "vmtoolsd.exe," for directories with names like "C:\cuckoo\" or C:\CWSandbox\," and for loaded in the current process modules with names like "SbieDll.dll" or "api_log.dll."

The Retadup malware has an impressive list of capabilities. It can:

  • Collect data from the compromised host and send it to the C&C servers of the attackers.
  • Self-replicate to further propagate itself.
  • Plant a cryptomining module, which mines for the Monero cryptocurrency.

Depending on the language in which the Retadup core is written, there are two ways through which Retadup achieves persistence: either by creating a registry value in "HKCU\Software\Microsoft\Windows\CurrentVersion\Run," and/or creating a scheduled task. The worm schedules a task through the "schtask.exe" utility, while the task is set to execute every minute. Variants written in Autolt tend to use hardcoded registry value names, whereas Auto-Hotkey variants use both registry values scheduled tasks with random names.

In order to spread around, Retadup iterates over all connected drives which do not have the letter "C" assigned to them and drops malicious LNK files on these drives. Then, the worm checks all folders located in the root folder of a given drive and creates an LNK file for each folder. This newly created LNK file has the same name as the original folder (with just a short string such as "fpl.lnk" appended to it) and is supposed to mimic the actual folder, trying thus to trick users into executing that folder. Also, the malware copies both the malicious script and the Autolt/Auto-Hotkey interpreter to a hidden system directory which is located at a hardcoded path relative to the newly created LNK file. If the user executes the LNK file, the malicious script runs using the corresponding Autolt/Auto-Hotkey interpreter. These tricks of Retadup seem to be quite convincing as many users actually perceive the LNK files as benign shortcuts of regular user files.

Analysis Report

General information

Family Name: Worm.Retadup
Signature status: Hash Mismatch

Known Samples

MD5: 30ec7cfb529ba6a701d17e337c1e61b3
SHA1: 8b3cd71afe5fd68e26c632fe2ac24799339b4ac7
SHA256: 77983E71F989FA48FF343D9A30872E44B99F676738EBCD8724A5C69049D15C58
File Size: 983.04 KB, 983040 bytes
MD5: c46ada598ad283ab844942d51f58f8ef
SHA1: 38b06e3b157fc565e706f7ac6889d7997f65056f
SHA256: 360C50A4528F06A8AC843CB8F3D327DC70B53CAF910CA642EA12A65F188790B3
File Size: 940.50 KB, 940495 bytes
MD5: d88dec187f49bdec53b5c1be368dd8d5
SHA1: 734dd1126c18991d8912c94ede86914f38cc7d13
SHA256: DF510B0F83F3B481D012558A0919C9B1F8AA61583127F93FC7FB8A9ABB2F3650
File Size: 868.35 KB, 868352 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have relocations information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments This is the AutoIt script parser built for Ultra Virus Killer
Company Name Carifred
File Description Ultra Virus Killer AutoIt script parser
File Version 1.0.0.0
Internal Name AutoItRun
Legal Copyright Carifred © 2010 - 2016
Legal Trademarks Carifred.com
Original Filename AutoItRun.exe
Product Name Ultra Virus Killer
Product Version 10.0.0.0

Digital Signatures

Signer Root Status
Alfredo Anibal Santos Silva COMODO RSA Code Signing CA Hash Mismatch
Alfredo Anibal Santos Silva COMODO RSA Code Signing CA Hash Mismatch

Block Information

Total Blocks: 4,157
Potentially Malicious Blocks: 0
Whitelisted Blocks: 4,157
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 2 3 0 1 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 2 2 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Autoit
  • Delf.Q
  • Filecoder.DF
  • Philadelphia.A
  • Philadelphia.B

Files Modified

File Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::appinit_dlls C:\PROGRA~1\COMMON~1\System\symsrv.dll RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::loadappinit_dlls  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::requiresignedappinit_dlls RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtClose
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
Show More
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateDIBSection
  • win32u.dll!NtGdiCreatePatternBrushInternal
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiPolyPatBlt
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal
  • win32u.dll!NtGdiStretchDIBitsInternal
  • win32u.dll!NtUserBuildHwndList
  • win32u.dll!NtUserCallOneParam
  • win32u.dll!NtUserCallTwoParam
  • win32u.dll!NtUserCreateEmptyCursorObject
  • win32u.dll!NtUserDestroyCursor
  • win32u.dll!NtUserDestroyWindow
  • win32u.dll!NtUserDrawIconEx
  • win32u.dll!NtUserFindExistingCursorIcon
  • win32u.dll!NtUserGetDC
  • win32u.dll!NtUserGetIconInfo
  • win32u.dll!NtUserGetIconSize
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetMessage
  • win32u.dll!NtUserGetProp
  • win32u.dll!NtUserGetThreadState
  • win32u.dll!NtUserKillTimer
  • win32u.dll!NtUserLockWindowUpdate
  • win32u.dll!NtUserPeekMessage
  • win32u.dll!NtUserRegisterClassExWOW
  • win32u.dll!NtUserRegisterWindowMessage
  • win32u.dll!NtUserReleaseDC
  • win32u.dll!NtUserRemoveProp
  • win32u.dll!NtUserSelectPalette
  • win32u.dll!NtUserSetCursorIconData
  • win32u.dll!NtUserSetWindowFNID
  • win32u.dll!NtUserSetWindowLongPtr
  • win32u.dll!NtUserShowWindow
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation

Related Posts

Trending

Most Viewed

Loading...