RETADUP malware was identified recently in Israeli hospitals.. While RETADUP was found in Israeli hospitals, a new variant was targeting specific industries and governments in South America.The new RETADUP variant has features that would be useful for cybercrime instead of espionage. One would think that this would result in widespread use, but instead it has only been found in limited areas. It has frequently been used to spread cryptocurrency mining malware, perhaps indicating an evolution towards direct monetization.Some aspects of RETADUP’s behavior are not yet clear.
One incident revealed an unusual characteristic, compared to others launched by the same campaign. In that particular case, in addition to RETADUP, the threat actor dropped an older version (1.25) of BrowsingHistoryView (detected as HKTL_BrowHistoryView.)was dropped by the threat actor. This particular tool allows the browsing history to be collected from multiple browsers, gathering data on visited websites as wellnetwork shares via the supported browsers.
Profiting from cryptocurrency mining
Systems infected with RETADUP also frequently contained various tools used to mine cryptocurrencies, which were dropped by the threat actor. These tools use available computing power (both from the CPU and the GPU) to “mine” different cryptocurrencies. These allow the threat actor to monetize the infected machines. The collective computing power of many (infected) machines allows for significant profits to be mad
In the past, RETADUP most commonly used the cpuminer-multi opensource miner. Newer versions have included mining code directly. In both cases, the code was used to generate Monero (XMR) digital currency. By tracking one unique identifier associated with the user “earning” the cryptocurrency.
Evolution of RETADUP
The RETADUP malware family is based on code from other malware families: IPPEDDO and ROWMANTI, also named “rad worm” by its developers. The newly encountered variant has several new behaviors.
Firstly, RETADUP has now been split into an infector component and a remote access Trojan (RAT) component. Secondly, the malware now uses HTTP GET requests to send and receive information from its command and control (C&C) servers. Finally, several features related to information theft have been removed.
A wide variety of files are dropped onto the affected system. RETADUP (as split into two components), the Auto-IT engine, miners, and various libraries are all dropped under the main system drive’s root directory with this organization.
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-hit-south-america-turn-cryptocurrency-mining/