French police have neutralized a massive cryptocurrency mining botnet controlling around 850,000 computers. The Retadup malware was used to hijack computers in a process known as Cryptojacking. The malware steals power from the infected computer’s processor and uses it to mine cryptocurrency.
In this case, the malware was used to generate money with crypto mining, but the hackers could have executed other code like spyware or ransomware. The malware also included a self-replicating viral component allowing it to spread to new computers without direct involvement from the hackers.
Cryptocurrency mining malware, and Cryptojacking in general, has picked up lately. The Capital One Hacker, not related to this case, was recently indicted for charges including Cryptojacking.
In a blog post announcing the bust, security firm Avast confirmed the successful operation. Avast discovered a design flaw in the malware’s command and control server which, once exploited, “allowed us to remove the malware from its victims’ computers” without placing any new code on the computers of victims.
Because the researchers lacked legal authority to execute this counter-hack and rescue, Avast contacted French authorities as most of the malware’s infrastructure was located in France. The French police then carried on with the operation based on Avast’s information and, with the cooperation of the web host, they secretly obtained a snapshot of the malware’s command and control server.
In the Avast blog post discussing this operation, the researchers mention they took great care not be noticed by the malware operators, “The malware authors were mostly distributing cryptocurrency miners, making for a very good passive income[…] But if they realized that we were about to take down Retadup in its entirety, they might’ve pushed ransomware to hundreds of thousands of computers while trying to milk their malware for some last profits.”
Using a copy of the the malware’s control server, the team successfully built a replica that disinfected victim computers. The french authorities then used a version of this copied server to replace the malicious command and control server.
Avast went on to explain the immediate efficacy of this operation in that same blog post stating, “In the very first second of its activity, several thousand bots connected to it in order to fetch commands from the server. The disinfection server responded to them and disinfected them, abusing the protocol design flaw.” This action stopped all the malware from operating and removed malicious code from over 850,000 infected computers.
Before this operation was carried out According to Jean-Dominique Nollet, head of the French police’s cyber unit, the malware operators generated several million euros in cryptocurrency.