After being fairly dormant for a year the operators of Retefe banking trojan returned to the threat landscape with the new set of tools and tactics. In the past, Retefe campaigns have targeted the banking industry in countries like Austria, Sweden, Switzerland, and the UK. Malware is generally delivered via zipped JavaScript as well as Microsoft Word documents and unlike other banking trojans that rely on malicious web injects to execute man-in-the-browser attacks, Retefe uses proxies to redirect victims on fake banking sites for credential theft. 

According to the Proofpoint’s researchers, the cybergang behind the trojan has renewed the attacks in April of 2019 concentrating its efforts on Swiss and German online banking customers. In this latest campaign Retefe’s operators have made significant changes in the malware’s operations, for example, instead of using the Tor network for its proxy redirection and command-and-control communications, trojan uses Stunnel, an open-source application that acts as a proxy and universal TLS/SSL tunneling service.

“It is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes,” the researchers noted, adding that “Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than Stunnel, which would appear as any other outbound SSL connection.”

Aside from dropping the Tor network, Retefe’s authors have switched to the new distribution mechanisms, including a legitimate shareware application called “Convert PDF to Word Plus 1.0” and the use of Smoke Loader as its intermediate downloader instead of sLoad.

Proofpoint found the app last March in a public malware repository. The researchers describe the code as a “Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine.” According to the report, the application uses a certificate issued by DigiCert. The Python script writes two files named convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe to the %TEMP% directory and executes them. First one is a legitimate installer for the “Convert PDF to Word Plus” application and is executed as a decoy, while the second is Retefe’s loader. The latter “extracts 7-Zip and Stunnel from its resources then decrypts and executes the main Retefe JavaScript code”.

The researchers said that the Retefe campaigns targeting Microsoft Windows have lasted until December 2018, but the attacks on macOS hosts have continued into 2019. The macOS campaigns were using developer-signed versions of fake Adobe installers in attempt to bypass the macOS internal Gatekeeper security application and to deliver payloads, according to Proofpoint. The full list of Indicators of Compromise (IOCs) is available in the company’s blog post.