According to the Proofpoint’s researchers, the cybergang behind the trojan has renewed the attacks in April of 2019 concentrating its efforts on Swiss and German online banking customers. In this latest campaign Retefe’s operators have made significant changes in the malware’s operations, for example, instead of using the Tor network for its proxy redirection and command-and-control communications, trojan uses Stunnel, an open-source application that acts as a proxy and universal TLS/SSL tunneling service.
“It is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes,” the researchers noted, adding that “Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than Stunnel, which would appear as any other outbound SSL connection.”
Aside from dropping the Tor network, Retefe’s authors have switched to the new distribution mechanisms, including a legitimate shareware application called “Convert PDF to Word Plus 1.0” and the use of Smoke Loader as its intermediate downloader instead of sLoad.
The researchers said that the Retefe campaigns targeting Microsoft Windows have lasted until December 2018, but the attacks on macOS hosts have continued into 2019. The macOS campaigns were using developer-signed versions of fake Adobe installers in attempt to bypass the macOS internal Gatekeeper security application and to deliver payloads, according to Proofpoint. The full list of Indicators of Compromise (IOCs) is available in the company’s blog post.