Retefe is back in town
The last week has been characterized by the coming back (again) of yet another wave of Retefe malware, which first appeared in 2014 and has since "come back" several times. For those not familiar with it, Retefe is a banking Trojan mainly targeting Austria, Sweden, Switzerland and Japan. In many of its variants, Retefe infection usually also involves the installation of a rogue Android app to defeat 2FA by intercepting the token sent from the bank to the user.
As always, Retefe spreads via spam email. In this particular case the email carried a .zip archive as attachment, which contained an obfuscated .js file.
Bestellung.dd.MM.YY.N353610.zip fcb54818faf6884d2e00cfd5fec49872
|-- Quittung.dd.MM.YY.N821175.js 008faf67f1fbfcb60c88335ea601344f
When the user double clicks on the malicious attachment, the .js script connects to www.cablecar[.]at (81.19.145.97) downloading an executable file
Which is saved in the Temp folder as follow with the file name radFBD63.tmp
C:\Users\<userfolder>
4ED56CDB8B14CAE19747AC05DC852BB5
The above is actually a self-extracting archive that drops several files, the main of which is Rechnung.dd.MM.YY.N65609.js. Once executed starts the entire chain of actions that can be summarized in the following main steps:
-
It runs taskkill.exe to kill all three major browser processes
-
It runs certutil.exe to install fake certificate (c8afa2a1beb4bb0d809a92c8737de253)
-
It sets a Proxy Auto-Config (Proxy-PAC) on the registry
-
It makes use of powershell scripts (627f74992a9e7e2fb58a9f6814aa6f82 and c955dcbeaa7647e9915db54fce67564b) to install the certificate, check the browsers installed and behave accordingly
As in all its previous variants, the methodology used by Retefe is to control the user browsers and redirect all connections to targeted banks through a rogue proxy server, therefore being able to hijack user credentials. The following is a summary of all the processes, and their relationship, spawned by running the malicious attachment:
For those who wants to get more hints about Retefe, in the references you can find information about analysis of previous samples.
Happy Hunting
Pasquale
REFERENCES:
https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/
http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/
http://blog.trendmicro.com/trendlabs-security-intelligence/finding-holes-operation-emmental/
http://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/
https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
2 months ago
isc.sans.edu
Dec 26th 2022
2 months ago