skip to Main Content

Retefe malware is back with a new set of tools and techniques

Retefe Malware Is Back With A New Set Of Tools And Techniques

Prooofpoint: Retefe malware is back with a new set of tools and techniques

Retefe malware is back. According to the Proofpoint cyber security experts, the banking Trojan historically has routed online banking traffic intended for targeted banks through a proxy instead of the web injects more typical of other bankers. In the past, its campaigns have targeted Austria, Sweden, and Switzerland, among other regions, such as users of UK online banking sites. Retefe is generally delivered via zipped JavaScript as well as Microsoft Word documents. Although it only appeared infrequently in 2018, it returned to more regular attacks on Swiss and German victims in April of 2019 with both a Windows and macOS version. Developers appear to have updated key features of the Trojan and are employing new distribution mechanisms including fake apps and switching to Smoke Loader as its intermediate downloader after a fairly lengthy absence from the landscape.

The cyber security experts: Cybercrime use stunnel instead of TOR to secure its proxy redirection and C2 communications, Smoke Loader rather than sLoad as an intermediate loader, and abuse a shareware application known as “Convert PDF to Word Plus 1.0”

According to the cyber security experts, the Retefe’s return to the landscape was marked by several noteworthy changes: using stunnel instead of TOR to secure its proxy redirection and command and control communications; the use of Smoke Loader rather than sLoad as an intermediate loader, and the abuse of a shareware application known as “Convert PDF to Word Plus 1.0”; this is a Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine. The banking trojan in particular is noted for changing its proxy configuration, having previously used Profixifier and in 2019 moving to stunnel. As with many types of malware, developers continue to identifying new ways to infect victims. One of these is the use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks.

Back To Top