6 May 2019

Retefe banking trojan resurfaces with a new set of tools and techniques

Retefe banking trojan resurfaces with a new set of tools and techniques

After being fairly dormant for a year the operators of Retefe banking trojan returned to the threat landscape with the new set of tools and tactics. In the past, Retefe campaigns have targeted the banking industry in countries like Austria, Sweden, Switzerland, and the UK. Malware is generally delivered via zipped JavaScript as well as Microsoft Word documents and unlike other banking trojans that rely on malicious web injects to execute man-in-the-browser attacks, Retefe uses proxies to redirect victims on fake banking sites for credential theft. 

According to the Proofpoint’s researchers, the cybergang behind the trojan has renewed the attacks in April of 2019 concentrating its efforts on Swiss and German online banking customers. In this latest campaign Retefe’s operators have made significant changes in the malware’s operations, for example, instead of using the Tor network for its proxy redirection and command-and-control communications, trojan uses Stunnel, an open-source application that acts as a proxy and universal TLS/SSL tunneling service.

“It is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes,” the researchers noted, adding that “Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than Stunnel, which would appear as any other outbound SSL connection.”

Aside from dropping the Tor network, Retefe’s authors have switched to the new distribution mechanisms, including a legitimate shareware application called “Convert PDF to Word Plus 1.0” and the use of Smoke Loader as its intermediate downloader instead of sLoad.

Proofpoint found the app last March in a public malware repository. The researchers describe the code as a “Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine.” According to the report, the application uses a certificate issued by DigiCert. The Python script writes two files named convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe to the %TEMP% directory and executes them. First one is a legitimate installer for the “Convert PDF to Word Plus” application and is executed as a decoy, while the second is Retefe’s loader. The latter “extracts 7-Zip and Stunnel from its resources then decrypts and executes the main Retefe JavaScript code”.

The researchers said that the Retefe campaigns targeting Microsoft Windows have lasted until December 2018, but the attacks on macOS hosts have continued into 2019. The macOS campaigns were using developer-signed versions of fake Adobe installers in attempt to bypass the macOS internal Gatekeeper security application and to deliver payloads, according to Proofpoint. The full list of Indicators of Compromise (IOCs) is available in the company’s blog post.

Back to the list

Latest Posts

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

This marks the first time when all of them have been used in a single campaign together.
24 May 2019
Researchers shed some light on commands used by Zebrocy toolkit

Researchers shed some light on commands used by Zebrocy toolkit

Malware operators run commands manually to collect a vast amount of data from infected systems.
23 May 2019
Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

The attacks have been linked to a cyber espionage group APT28.
22 May 2019
Featured vulnerabilities
Privilege escalation in libvirt
Low Patched | 24 May, 2019
Multiple vulnerabilities in OpenEMR
Medium Patched | 23 May, 2019
CSRF in WP Open Graph plugin for WordPress
Medium Patched | 23 May, 2019
Multiple vulnerabilities in cURL
High Patched | 23 May, 2019