6 May 2019

Retefe banking trojan resurfaces with a new set of tools and techniques

Retefe banking trojan resurfaces with a new set of tools and techniques

After being fairly dormant for a year the operators of Retefe banking trojan returned to the threat landscape with the new set of tools and tactics. In the past, Retefe campaigns have targeted the banking industry in countries like Austria, Sweden, Switzerland, and the UK. Malware is generally delivered via zipped JavaScript as well as Microsoft Word documents and unlike other banking trojans that rely on malicious web injects to execute man-in-the-browser attacks, Retefe uses proxies to redirect victims on fake banking sites for credential theft. 

According to the Proofpoint’s researchers, the cybergang behind the trojan has renewed the attacks in April of 2019 concentrating its efforts on Swiss and German online banking customers. In this latest campaign Retefe’s operators have made significant changes in the malware’s operations, for example, instead of using the Tor network for its proxy redirection and command-and-control communications, trojan uses Stunnel, an open-source application that acts as a proxy and universal TLS/SSL tunneling service.

“It is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes,” the researchers noted, adding that “Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than Stunnel, which would appear as any other outbound SSL connection.”

Aside from dropping the Tor network, Retefe’s authors have switched to the new distribution mechanisms, including a legitimate shareware application called “Convert PDF to Word Plus 1.0” and the use of Smoke Loader as its intermediate downloader instead of sLoad.

Proofpoint found the app last March in a public malware repository. The researchers describe the code as a “Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine.” According to the report, the application uses a certificate issued by DigiCert. The Python script writes two files named convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe to the %TEMP% directory and executes them. First one is a legitimate installer for the “Convert PDF to Word Plus” application and is executed as a decoy, while the second is Retefe’s loader. The latter “extracts 7-Zip and Stunnel from its resources then decrypts and executes the main Retefe JavaScript code”.

The researchers said that the Retefe campaigns targeting Microsoft Windows have lasted until December 2018, but the attacks on macOS hosts have continued into 2019. The macOS campaigns were using developer-signed versions of fake Adobe installers in attempt to bypass the macOS internal Gatekeeper security application and to deliver payloads, according to Proofpoint. The full list of Indicators of Compromise (IOCs) is available in the company’s blog post.

Back to the list

Latest Posts

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Okrum’ functionality includes only basic backdoor commands, such as downloading and uploading files, executing files and shell commands.
19 July 2019
StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity group has come up with new malware, which is now targeting users located in Turkey.
18 July 2019
“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Featured vulnerabilities
Cross-site scripting in FortiNAC webUI
Low Patched | 19 Jul, 2019
Multiple vulnerabilities in Cybozu Garoon
Medium Patched | 18 Jul, 2019
Security restrictions bypass in Drupal
High Patched | 18 Jul, 2019