<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=725552337608854&amp;ev=PageView&amp;noscript=1">

Spreading Technique used by Retadup Worm.

Posted by Abhishek Singh on Oct 2, 2017 8:42:45 PM

Find me on:

Acalvio Threat Research Lab

Retadup worm has been in the news recently. It was first observered infecting Israeli Hospitals [1] and recently it was observered active in South America mining for Crypto Currency[2]. The details of the worm have been published by Trend Labs[1][2].  This blog will share the spreading technique used by the worm (For comparison see our analysis of the Petya malware propagation techniques).

Retadup's wormlike behavior consists of copying itself to the drives as malicious .LNK files, named as normal looking shortcuts like "Games.lnk", "Downloads.lnk". As shown in figure 2.0, it makes use of the AutoIt function “DriveGetDrive”.  As shown in figure 1.0 the function "DriveGetDrive" enumerates all the letter drives of specified drive type and returns an array of available drives.

snip_20171002091747.png

Figure 1.0 Showing the value returned by the DriveGetDrive function. 

Retadup enumerates the array and copies its script folder, which consists of the interpreter (usually named WinddowsUpdate.exe) and the malicious script file (e.g. WinddowsUpdate.zip), to the destination along with several malicious link files which execute the au3 interpreter with command line like:

"cmd.exe /c start ..<ScriptDir>\<InterpreterBinary>.exe..<ScriptDir>\<MaliciousScript>.zip & exit"

snip_20170926115108.png

Figure 2.0  Spreading code of Retadup worm 

Once the file gets copied, spreading requires user interaction on the destination host since the link file has to be manually executed to start execution on another host.

      This spreading technique will be detected by distributed deception architecture. Deception centric architecture involves having honey drives at the endpoint which will get returned to the function call DriveGetDrive. When the malicious files gets copied to the  honey drives for the engagement of the threat,  it will raise an alert for the possibility of a compromise. Malicious activity of the Retadup worm like extracting passwords, installing keylogger will classify the file as malicious in the engagement platform and the infected endpoint can be isolated from the network. The IoC which is generated from the engagement will be used for quarantining the infected machines.

The material discussed above further establishes the potential of distributed deception solutionsand their efficacy for Advanced Threat Detection.

 References:

[1] Information Stealer Found Hitting Israeli Hospital,  http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/

[2] New Retadup Variants Hits South America, Turn to Cryptocurrenty mining http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-hit-south-america-turn-cryptocurrency-mining/ 

Topics: deception, worm, distributed deception, crypto

Subscribe to Email Updates




Download Deception 2.0 for Dummies eBook