Hacking hackers: Cryptocurrency mining botnet dismantled
An operation by the French police in collaboration with Avast brought a botnet of 850 thousand PC to its knees, unknowingly committed to undermining cryptocurrencies. Such as? Exploiting a flaw in the server command and control.
The French law enforcement agencies, working with the computer security company Avast, have succeeded in knocking out a botnet dedicated to cryptocurrency mining: according to the police, it was one of the largest botnets in the world that controlled almost one million computers.
The botnet was based on the Retadup malware, which once infected a PC starts its hidden mining activity of the Monero cryptocurrency exploiting the computational resources of the victim computer. But the malware has other features, such as the ability to run malicious code remotely through the command server
Avast was involved in the operation after identifying a flaw in the command and control server of the malware that, if properly exploited, would have made it possible to remove the malware from the victims’ computer in a rather simple manner.
Avast, whose registered office is in Czech territory, did not have the authorization to operate because a large part of the malware control infrastructure was located on French territory. The security company then contacted the transalpine authorities who, after obtaining authorization to proceed, carried out the operation together with Avast.
An operation that could have been successful because Avast managed to get hold of a snapshot of the command and control server, with the collaboration of the web host that hosted it. Avast operated with the utmost confidentiality, to avoid being noticed by the malware authors and thus risk triggering a retaliation:
” The malware authors were mainly engaged in spreading a cryptocurrency miner in order to generate a very consistent passive income. But if they realized what we were about to do, they could spread ransomware on hundreds of thousands of computers with a final attempt to further maximize profits, ” the researchers explained.
The snapshot of the command and control server in the hands of the researchers allowed them to build a replica to clear the victims computers. ” The police replaced the command and control server with the replica which issued self-destruct commands for the Retadup malware.
In the first few seconds of the reclamation server’s activity, thousands of bots were connected to receive commands from the server, which responded and cleaned them of malware by exploiting the flaw in the protocol “. Avast says that this operation has removed the malware from over 850,000 computers.
Jean Dominique Nollet, head of the French police cyber unit, said that the authors of Retadup were still able to pocket several million euros worth of cryptocurrency.