Retefe banking trojan: A sneak peek into the banking trojan’s attack campaigns

• The Retefe banking trojan has impacted several major browsers including Google Chrome, Internet Explorer, and Mozilla Firefox.
• The trojan has targeted several UK and Swiss banks including NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury's Bank, Tesco Bank, UBS, Zuger Kantonalbank, and Banque Piguet Galland, among others.

Retefe is a banking trojan that is primarily distributed via phishing emails. The banking trojan uses fake root certificates issued by Comodo to hijack the users’ traffic through their own server.

• The phishing emails that distribute Retefe include malicious JavaScript code which is designed to install a rogue root certificate and change the OS's proxy auto-config settings.
• The trojan also installs several components including the Tor network browser, which will be used to create a proxy connection for targeting banking sites.

This banking trojan has impacted several major browsers including Google Chrome, Internet Explorer, and Mozilla Firefox.

Attack campaigns

• In October 2014 campaign, Retefe launched man-in-the-middle (MiTM) attacks against nine Japanese banks including Chiba Bank, Yamagata Bank, Chugoku Bank, Japan Post Bank, Awa Bank, Daishi Bank, Hokkoku Bank, Musashino Bank, and Miyazaki Bank.
• In August 2015, the trojan targeted banking users in Sweden and Switzerland.
• In June 2016, the attackers behind the trojan targeted several UK banks including NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury's Bank, Tesco Bank, Cahoot, and IF.com.

Connections with OSX Malware

Researchers noted similarities between Retefe banking trojan and OSX malware.

• Both malware strains target banking users and are distributed via phishing campaigns.
• Both use a Man-in-the-Middle (MitM) attack to hijack a user’s network traffic.
• Both use fake root certificates issued by the Comodo Certificate Authority.

Retefe targets both Windows and Mac users

In July 2017, researchers observed a malspam campaign targeting Swiss banks and Austrian banks.

• The phishing emails included two attachments: a zipped Mach-O application, and a .xlsx or .docx document file.
• The first attachment targets macOS systems, while the latter attachment drops the malware on Windows systems.
• The targeted Austrian banks include Bank Austria, BAWAG P.S.K, Raiffeisen Bank, Oberbank, and easybank.
• The targeted Swiss banks include PostFinance, Aargauische Kantonalbank, UBS, Zuger Kantonalbank, and Banque Piguet Galland among others.

Retefe uses EternalBlue exploit kit

Retefe banking trojan was spotted using EternalBlue exploit kit in its campaign against Swiss banks. This trojan has added a new component to its arsenal that uses the NSA exploit kit EternalBlue.

Phishing campaign targeting Swiss banks

In October 2017, researchers observed a phishing campaign targeting Swiss banks with Retefe banking trojan. The phishing emails which were written in German purported to come from a Swiss tax administration worker.

The emails include a malicious attachment named “ESTV Dokument_593657_17_10_2017[.]doc” and urges the recipient to enable macros. Upon which, PowerShell is launched in order to download and install the Retefe trojan.

Latest variant

In May 2019, researchers spotted a new variant of Retefe banking using a different obfuscation technique to infect Windows and macOS systems.

• The new variant uses the stunnel encrypted tunneling mechanism instead of Tor to evade detection by anti-virus software.
• It uses Smoke Loader as an intermediate loader instead of sLoad.
• It abuses a shareware application known as ‘Convert PDF to Word Plus 1.0