Acalvio Threat Research Lab
Retadup worm has been in the news recently. It was first observered infecting Israeli Hospitals  and recently it was observered active in South America mining for Crypto Currency. The details of the worm have been published by Trend Labs. This blog will share the spreading technique used by the worm (For comparison see our analysis of the Petya malware propagation techniques).
Retadup’s wormlike behavior consists of copying itself to the drives as malicious .LNK files, named as normal looking shortcuts like “Games.lnk”, “Downloads.lnk”. As shown in figure 2.0, it makes use of the AutoIt function “DriveGetDrive”. The function “DriveGetDrive” enumerates all the letter drives of specified drive type and returns an array of available drives.
Retadup enumerates the array and copies its script folder, which consists of the interpreter (usually named WinddowsUpdate.exe) and the malicious script file (e.g. WinddowsUpdate.zip), to the destination along with several malicious link files which execute the au3 interpreter with command line like:
“cmd.exe /c start ..<ScriptDir>\<InterpreterBinary>.exe..<ScriptDir>\<MaliciousScript>.zip & exit”
Once the file gets copied, spreading requires user interaction on the destination host since the link file has to be manually executed to start execution on another host.
This spreading technique will be detected by distributed deception architecture. Deception centric architecture involves having honey drives at the endpoint which will get returned to the function call DriveGetDrive. When the malicious files gets copied to the honey drives for the engagement of the threat, it will raise an alert for the possibility of a compromise. Malicious activity of the Retadup worm like extracting passwords, installing keylogger will classify the file as malicious in the engagement platform and the infected endpoint can be isolated from the network. The IoC which is generated from the engagement will be used for quarantining the infected machines.