Retefe trojan evolves to use stunnel encrypted tunneling mechanism for secure communication
- The new variant uses Smoke Loader as an intermediate loader.
- It also makes use of a shareware application as bait to propagate across systems.
A new variant of Retefe banking trojan has been observed using a different obfuscation technique to infect Windows and macOS systems. The new variant is using the stunnel encrypted tunneling mechanism to evade detection by anti-virus software.
What are the new changes?
According to the researchers from Proofpoint, the new variant of Retefe includes:
- The use of stunnel instead of TOR to secure its proxy redirection and command-and-control communications;
- The use of Smoke Loader rather than sLoad as an intermediate loader;
- The abuse of a shareware application known as ‘Convert PDF to Word Plus 1.0’.
How does it propagate?
The attackers are using the document conversion tool as a new bait to propagate Retefe trojan variant. Dubbed as Convert PDF to Word Plus 1.0, the shareware app is signed by DigiCert, which is actually a Python script packed as an executable.
Once the tool is launched, the script writes and executed two files on the %TEMP% directory, with one being the legitimate installer and the second being a decoy.
The fake file contains the content required for Retefe variant persistence.
An alternative method
Researchers have noticed an alternative method of the infection process. It includes the distribution of Smoke Loader which later downloads the new Retefe variant.
“On April 17, Proofpoint researchers observed a geographically targeted campaign against Switzerland using the email lure below (Fig. 4). This campaign used an Object Linking and Embedding (OLE) package to deliver Smoke Loader,” Proofpoint researchers explained in a blog post.
“Approximately two hours following infection, we observed Smoke Loader downloading Retefe with the following hash: 925ce9575622c59baacc70c0593a458a76731c5f195c6a7a790abc374402725e,” researchers explained.
Retefe is an unusual malware as it uses proxies to redirect victims to fake bank pages for credential theft. The malware author appears to have updated key features of the trojan that include the use of fake apps and switching to Smoke Loader as its intermediate downloader.