Worm.Retadup is a malware threat that attacks Windows computers with the purpose of installing additional malicious payload on them. As the name suggests, Retadup is a type of worm that spreads far and wide without human interaction, achieving at the same time its persistence on affected machines. In the prevalent amount of the analyzed cases, Retadup drops a cryptocurrency mining malware on the targeted devices. In some cases, researchers have also observed the worm distributing the Stop Ransomware and the Arkei password stealer. Retadup was exposed around two years ago, back in 2017, when it was caught stealing information from hospitals in Israel. Several months later, a new variant of Retadup hit businesses and government institutions in South America. In August 2019, cybersecurity researchers have shared the details of a separate Retadup campaign in which vulnerable devices have been targeted with a Monero cryptocurrency miner named XMRig.
The new Retadup activity came into researchers' radars in March 2019 when XMRig caught the attention with its advanced detection evasion abilities. One of the ways in which XMRig is able to remain unnoticed is by not using all of the infected device's CPU power. Also, the crypto miner stops mining whenever Task Manager is running so that the user would not notice the spikes in the CPU usage. Further research into the distribution channels of this cryptocurrency miner led back to the Retadup worm which was being used to deliver XMRig, mostly to machines located in Spanish-speaking countries in Latin America. A profound analysis of Retadup followed, revealing that most of the worm's Command-and-Control (C2) infrastructure was located in France. Therefore, the cybersecurity company that was working on that threat contacted the French National Gendarmerie and proposed a joint disinfection strategy to neutralize the campaign. As a result, the cybercriminals' server was taken down and replaced with a disinfection server which responded to requests coming from connected bots, eventually causing connected instances of Retadup to self-destruct. By the end of August 2019, over 850,000 devices connected to the attackers' C2 server have been neutralized, and respectively, their resources are no longer abused for fraudulent monetary gain.
Retadup Is Written in Either Autolt or Auto-Hotkey
Many different variants of Retadup worm exist, however, they all have similar functionalities and differ only in the way these functionalities are implemented. The core of the worm can be written in either Autolt or Auto-Hotkey, yet in both cases, it consists of two files - the clean scripting language interpreter and the malicious script itself. In Retadup variants that have their core written in Autolt, the script is first compiled and then distributed, whereas in Auto-Hotkey variants the script is distributed as source code. The core of most Retadup variants follows the same workflow. The first thing it does is to check whether another instance of the worm is already running on the target machine. If that is the case, Retadup exits silently, leaving only one version of the malware on the device at any time. The worm also has the ability to check whether it is being analyzed, and it exits in such cases as well. Then, the worm achieves persistence and tries to spread to other connected devices, before entering an infinite loop in which it regularly sends command requests to the Command-and-Control server and executes any received commands. In the meantime, Retadup keeps performing attempts to spread itself and to restore its persistence.
The list of commands that Retadup receives and executes is rather short as the malware authors probably wanted to keep it simple:
- Command "Update" replaces an old variant of Retadup with a newer one
- Command "Download" downloads and runs an additional payload
- Command "Sleep" causes the worm to freeze for a specified period of time
- Command "Updateself" makes the malware mutate itself polymorphically
All Retadup variants perform some anti-analysis checks, though they differ in their specific implementation. Almost all samples check first the file system path on which they are running, and their malicious script does not execute if either the interpreter path of the script path is not as expected. Most of the analyzed Retadup samples also have some means to delay their execution by performing either a series of many short sleeps, or one single long sleep. Then, some variants check for running processes with names like "procmon.exe" or "vmtoolsd.exe," for directories with names like "C:\cuckoo\" or C:\CWSandbox\," and for loaded in the current process modules with names like "SbieDll.dll" or "api_log.dll."
The Retadup malware has an impressive list of capabilities. It can:
- Collect data from the compromised host and send it to the C&C servers of the attackers.
- Self-replicate to further propagate itself.
- Plant a cryptomining module, which mines for the Monero cryptocurrency.
Depending on the language in which the Retadup core is written, there are two ways through which Retadup achieves persistence: either by creating a registry value in "HKCU\Software\Microsoft\Windows\CurrentVersion\Run," and/or creating a scheduled task. The worm schedules a task through the "schtask.exe" utility, while the task is set to execute every minute. Variants written in Autolt tend to use hardcoded registry value names, whereas Auto-Hotkey variants use both registry values scheduled tasks with random names.
In order to spread around, Retadup iterates over all connected drives which do not have the letter "C" assigned to them and drops malicious LNK files on these drives. Then, the worm checks all folders located in the root folder of a given drive and creates an LNK file for each folder. This newly created LNK file has the same name as the original folder (with just a short string such as "fpl.lnk" appended to it) and is supposed to mimic the actual folder, trying thus to trick users into executing that folder. Also, the malware copies both the malicious script and the Autolt/Auto-Hotkey interpreter to a hidden system directory which is located at a hardcoded path relative to the newly created LNK file. If the user executes the LNK file, the malicious script runs using the corresponding Autolt/Auto-Hotkey interpreter. These tricks of Retadup seem to be quite convincing as many users actually perceive the LNK files as benign shortcuts of regular user files.