Researchers have noticed a recent upswing in attacks against banks featuring the Retefe banking trojan, following what was apparently a fairly quiet 2018 for the malware.
The trojan is historically known for targeting the banking industry in countries like Austria, Sweden, Switzerland and the UK. Rather than using malicious web injects to execute man-in-the-browser attacks -- like many banking trojans do -- it victimizes users by using a proxy to route online traffic intended for legitimate banking websites to malicious sites instead.
In April 2019, the malware began focusing its efforts on Swiss and German online banking customers using either Windows- or macOS-based machines, according to a blog post published today by the Proofpoint Threat Insight Team and company researcher Bryan Campbell.
This latest campaign changes some of the malware's functionality as well. For instance, instead of using TOR for its proxy redirection and command-and-control set-up, Retefe uses Stunnel, an open-source application that acts as a proxy and universal TLS/SSL tunneling service.
"It is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes," Proofpoint surmises in the blog post. "Tor is also a 'noisier' protocol and thus would be easier to detect in an enterprise environment than Stunnel, which would appear as any other outbound SSL connection."
Previously Retefe was typically associated with the PowerShell-based downloader sLoad, but more recently Proofpoint observed the malware instead using Smoke Loader as its intermediate-stage downloader. The researchers saw this in a phishing campaign targeting Switzerland with the trojan.
Additionally, the researchers noted the Retefe now abuses the Python-based shareware application "Convert PDF to Word Plus 1.0." Proofpoint found the app last March in a public malware repository, describe the code as a "Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine."
Proofpoint says the script writes two files. The first is a legitimate installer for the shareware application, which is used as a decoy. The other is Retefe's loader, which "extracts 7-Zip and stunnel from its resources then decrypts and executes the main Retefe JavaScript code."
The researchers report seeing Retefe campaigns targeting Windows users through December 2018, while macOS-focused campaigns have continued into 2019. The macOS campaigns are using developer-signed versions of fake Adobe installers to deliver payloads, according to the blog post.
"Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking Trojans. Developers appear to have updated key features of the Trojan and are employing new distribution mechanisms including fake apps and switching to Smoke Loader as its intermediate downloader after a fairly lengthy absence from the landscape. Retefe in particular is noted for changing its proxy configuration, having previously used Profixifier and in 2019 moving to stunnel. As with many types of malware, developers continue to innovate, identifying new, more effective ways to infect victims and steal personal information to better monetize their attacks.
