French police on Sunday, averted a massive cryptocurrency mining botnet attack, which had affected more than a million computers. The software infects computers and creates a network to mine cryptocurrency by using power from an infected machine's processor.
Retadup malware is then used to generate money by running malicious code. The malware has wormable properties, meaning it can easily spread from PC to PC. The malware has affected a range of countries including the US, Russia and Central and South America.
Security firm Avast announced the takedown on its blog.
"We shared our threat intelligence on Retadup with the Cybercrime Fighting Center (C3N) of the French National Gendarmerie and proposed a technique to disinfect Retadup's victims. In accordance with our recommendations, C3N dismantled a malicious command and control (C&C) server and replaced it with a disinfection server. The disinfection server responded to incoming bot requests with a specific response that caused connected pieces of the malware to self-destruct. At the time of publishing this article, the collaboration has neutralized over 850,000 unique infections of Retadup."
The operation worked by secretly obtaining a snapshot of the malware's control and command server using cooperation from its web host. The whole project had to be done under cover from the malware operators, fearing that they could retaliate. It then placed a code inside the software and used it to self-destruct the whole chain.
While the police and the researchers from Avast have dismantled the network, most of which is located in France, they lacked the legal authority to attack in multiple locations throughout the world. They claim that the operators generated millions of dollars' worth of cryptocurrency.
The French police call it the largest botnet network of hijacked computers it has dismantled to date.
The operation is definitely an achievement as takedowns of this kind rarely happen
Taking a whole botnet down is even rarer. It remains to be seen if France can cooperate with other countries to bring the whole network down.
These operations are generally engineered for making money illegally and have malafide actors with intentions of more than just making money. One such example is Joanap Botnet, which was linked to the North Korean regime.