By Lenart Bermejo, Kenney Lu, and Cedric Pernet
Several months ago, we discovered and exposed RETADUP malware in Israeli hospitals. We also learned that an Android malware known as “GhostCtrl” was stored in their infrastructure, which might be used for cyberespionage or cybercrime.
Since then, we’ve encountered more samples in the wild. While RETADUP was found in Israeli hospitals, a new variant was targeting specific industries and governments in South America. We believe the use of the Retadup malware family is limited to a very small set of threat actors. We found no evidence of it being sold or distributed via underground marketplaces or forums.
This new RETADUP variant has features that would be useful for cybercrime instead of espionage. One would think that this would result in widespread use, but instead it has only been found in limited areas. It has frequently been used to spread cryptocurrency mining malware, perhaps indicating an evolution towards direct monetization.
Hitting South America
RETADUP first hit South America in May 2017, and attacks are still ongoing. Based on product feedback, it currently affects organizations located in Argentina, Bolivia, Colombia, Ecuador, and Peru. Affected users in Peru accounted for 75% of all potential victims in South America based on unique IP addresses.
Figure 1. Distribution of victims in South America
Our information indicates that the victims are concentrated in several sectors: aside from governments, energy and mining companies are particularly affected.
Some aspects of RETADUP’s behavior are not yet clear. We have found no evidence of what its initial infection vector is. We also raised the question with several individuals involved in responding to RETADUP incidents. We believe that it may use spear phishing or downloader malware, however. Data exfiltration has not been found either.
One incident revealed an unusual characteristic, compared to others launched by the same campaign. In that particular case, in addition to RETADUP, the threat actor dropped an older version (1.25) of BrowsingHistoryView (detected as HKTL_BrowHistoryView.) was dropped by the threat actor. This particular tool allows the browsing history to be collected from multiple browsers, gathering data on visited websites as well as network shares via the supported browsers.
Profiting from cryptocurrency mining
Systems infected with RETADUP also frequently contained various tools used to mine cryptocurrencies, which were dropped by the threat actor. These tools use available computing power (both from the CPU and the GPU) to “mine” different cryptocurrencies. These allow the threat actor to monetize the infected machines. The collective computing power of many (infected) machines allows for significant profits to be made.
In the past, RETADUP most commonly used the cpuminer-multi opensource miner. Newer versions have included mining code directly. In both cases, the code was used to generate Monero (XMR) digital currency. By tracking one unique identifier associated with the user “earning” the cryptocurrency (i.e., the threat actor), we were able to establish that profits from the mining totaled 314.34 XMR since June 18, amounting to almost US$36,000 – at current exchange rates.
Examining the available mining power is informative. Based on information from the Minexmr.com website, at night the hash rate (a measure of computing power) is relatively low (approximately 50 kh/s). This is attributable only to computers that are online 24/7. During working hours, this increases as people turn their computers on. Later in the day, as more systems are turned off, the hash rate falls.
Figure 2. Hash rate
Note that the threat actor may have more miners and identifiers in use , and his actual profits are likely higher than our estimates indicate.
Evolution of RETADUP
As discussed before, the RETADUP malware family is based on code from other malware families: IPPEDDO and ROWMANTI, also named “rad worm” by its developers. The newly encountered variant has several new behaviors.
Firstly, RETADUP has now been split into an infector component and a remote access Trojan (RAT) component. Secondly, the malware now uses HTTP GET requests to send and receive information from its command and control (C&C) servers. Finally, several features related to information theft have been removed.
Multiple files dropped
A wide variety of files are dropped onto the affected system. RETADUP (as split into two components), the Auto-IT engine, miners, and various libraries are all dropped under the main system drive’s root directory with this organization:
Figure 3. Organization of dropped files
Some of these components are worth discussing in detail.
Infector component (WORM_RETADUP.D)
The infector component of RETADUP is dropped as a file named cpuspeed.tnt. When it runs, it first checks the filenames of the AutoIt engine (which was installed by the malware earlier) and itself. If the file names do not match the default names, the malware will terminate itself.
It then creates the persistence mechanism for the remote access Trojan (RAT), by registering it in the Windows registry:
CpuOptimizer = C:\newcpuspeed\Cpufix.exe C:\newcpuspeed\cpuage.tnt
It then disables the ShowSuperHidden flag from the registry. This makes protected system files, including the RETADUP directories, hidden from users. It then spreads to other drives by copying the following files to other drives:
- <drive letter>:\newcpuspeedcheck\cpuage.tnt
- <drive letter>:\newcpuspeedcheck\cpufix.exe
- <drive letter>:\newcpuspeedcheck\cpuspeed.tnt
- <drive letter>:\newcpuspeedcheck\workers\rad\cpuchecker.exe
- <drive letter>:\newcpuspeedcheck\workers\rad\cpuchecker32.exe
- <drive letter>:\newcpuspeedcheck\workers\rad\msvcr120_64.dll
- <drive letter>:\newcpuspeedcheck\workers\rad\msvcr120_86.dll
- <drive letter>:\newcpuspeedcheck\workers\rad\x32.bin
- <drive letter>:\newcpuspeedcheck\workers\rad\x64.bin
For removable drives, the following files are copied in addition to the above files:
- <drive letter>:\Downloads.lnk
- <drive letter>:\<folder>\<folder> Copy.lnk
This division of the infector and RAT components is new for RETADUP. We believe this was done to add complexity and flexibility in the malware. For example, this could allow the threat actors to drop and execute some other malware instead of the RETADUP RAT component.
RAT component (TROJ_RETADUP.A)
The cpuage.tnt file dropped by the infector is RETADUP’s RAT component. As in previous versions, it contains various routines meant to detect if it is run on a virtual machine (VM). This time, though, if that happens it merely shows a message titled “Something went Wrong”.
How does RETADUP determine if it is being executed on a VM? It first checks if certain processes are running:
Figure 4. Code checking for running processes
It also checks for some SystemInfo strings:
Figure 5. Code checking for SystemInfo strings
It also checks for some system modules:
Figure 6. Code checking for system modules
Checks are performed for certain combinations of running processes, the presence of several folders, and whether the RAT itself is located in some folders:
Figure 7. Code checking for various properties
It also checks if its own filename has more than six numbers at its start, or if it’ longer than 35 characters.
All of these conditions are associated either with VMs, or with various analysis tools used by security researchers. If any of the above conditions are met, the malware terminates itself.
Once the RAT is running, the following commands are available:
The network communications have also changed. This RETADUP variant now uses HTTP GET requests:
Figure 8. HTTP request
The HTTP GET request format, once decoded, is:
- GET /0409-WIN_7-7601-X64-2355838296/1/1/0/0/empty
This request can be described as:
- <OS language>-<OS version>-<OS build>-<processor architecture>-<homedrive serial>/<hardcoded flag 1>/<number of processors>/<worm window name (cpuspeed‘s window title is checked) flag>/<miner process flag>/<content of “\worker\” directory>
The reply from the (C&C) server is decoded using BinaryToString and would look like:
The format of these replies would be:
- ok||||<command start><command parameter/argument/value to use><command end>
The RAT’s reply to the C&C server after completion of the command would be either of the two:
- MSG:!:<Message + command-related information>
- MSG:!:<error message>
The URLs of several C&C servers are included, namely:
RETADUP can also use the result of a domain generation algorithm (DGA) for these URLs:
- hxxp://<DGA output>.mdwnte.com:8090
- hxxp://<DGA output>.newblackage.com:8090
- hxxp://<DGA output>.publicvm.com:8090
As we noted earlier, several information theft capabilities have been removed from this RETADUP variant. The list of removed features include:
- Screen capture
- Password stealing capabilities
All in all, this new variant of Retadup feels like a “light” version of the previous one, in which a huge effort has been put on cryptocurrency mining rather than espionage/data theft capabilities.
Conclusions – The Ongoing RETADUP Mystery
RETADUP continues to be a mystery. It was previously found in Israeli hospitals, and it’s a big jump (figuratively and literally) to go from there to hitting South American energy firms. The number of possible threat actors that have access to RETADUP is presumably very limited, as we have not seen it offered in the cybercrime underground. It’s probably limited to either very few trusted parties, or maybe even only the developers themselves.
There are a lot of questions left unanswered. The initial vector of compromise is not yet known. The goals of the threat actors are not yet clear, and their behavior is contradictory. Cryptocurrency mining suggest a profit motive typical of cybercrime, but the selected targets are more indicative of a cyberespionage operation.
Trend Micro will keep monitoring this threat and will more information to light as it becomes available.
Indicators of Compromise
The following hashes are associated with various aspects of RETADUP attacks:
- 774fe3d892d88a26d56227c4f47e04620505c22cfdfa64667f92479b0ede4397 detected as WORM_RETADUP.D
- 8cc79b28037126951090534ec862539295704e820193a2b3de3ffe3e3d157353 detected as WORM_RETADUP.A
- 940bef003d57e3ef78fb7dd9ed0bb528611164dd663db80aa6d875a8b8688ef4 detected as WORM_RETADUP.A
- a94ce5e29aebf8bd73fdfb48ccae845e6c0817f0412096830ab638c2238f60a8 detected as WORM_RETADUP.B
- ad2646755ea2d8c312d9635a452e2180299241f2b7f172bfa071f611b6461bac detected as WORM_RETADUP.A
- adaffcb21f17057830ce8c60d1e852fe82035c153d6125aaed75a8b1d03e7518 detected as WORM_RETADUP.A
- c69811d8574fcc59e37fe2cbf0a31be4956ab81c3279bfb1351ff6da3417b4a7 detected as WORM_RETADUP.A
RETADUP Shortcut Files (all detected as LNK_RETADUP.A)