Prooofpoint: Retefe malware is back with a new set of tools and techniques
The cyber security experts: Cybercrime use stunnel instead of TOR to secure its proxy redirection and C2 communications, Smoke Loader rather than sLoad as an intermediate loader, and abuse a shareware application known as âConvert PDF to Word Plus 1.0â
According to the cyber security experts, the Retefeâs return to the landscape was marked by several noteworthy changes: using stunnel instead of TOR to secure its proxy redirection and command and control communications; the use of Smoke Loader rather than sLoad as an intermediate loader, and the abuse of a shareware application known as âConvert PDF to Word Plus 1.0â; this is a Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine. The banking trojan in particular is noted for changing its proxy configuration, having previously used Profixifier and in 2019 moving to stunnel. As with many types of malware, developers continue to identifying new ways to infect victims. One of these is the use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks.