EternalBlue exploit used in Swiss campaigns by Retefe malware

Hackers behind the Retefe malware have added the NSA EternalBlue exploit to the malware to help them spread the malware beyond the initial infection and into a victim network.

Researchers at Proofpoint said that the addition of limited network propagation capabilities may represent an “emerging trend for the threat landscape as 2018 approaches”.

In a blog post, researchers said that while Retefe has never reached the scale or notoriety of better-known banking Trojans such as Dridex or Zeus, it is notable for its consistent regional focus, and interesting implementation.

“Unlike Dridex or other banking trojans that rely on webinjects to hijack online banking sessions, Retefe operates by routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network,” said researchers.

Researchers said that in recent months, Retefe has generally been delivered in malicious unsolicited email campaigns containing Microsoft Office document attachments. These attachments contain embedded Package Shell Objects, or OLE Objects, that are typically Windows Shortcut “.lnk” files.

If a victim opens the shortcut and accepts the security warning that appears, the PowerShell command contained in the LNK downloads an executable payload hosted on a remote server. 

A JavaScript installer was de-obfuscated by researchers who found several parameters set within the “Cfg” session. One parameter, called pseb, implements the EternalBlue exploit, borrowing most of its code from a publicly available proof-of-concept posted on GitHub. 

This also contains functionality to log the installation and victim configuration details, uploading them to an FTP server. The EternalBlue exploit thus downloads a PowerShell script from a remote server, which itself includes an embedded executable that installs Retefe. 

Researchers also noted that on 20 September, the “pseb:” section had been replaced with a new “pslog:” section that contained only the logging functions. “This installation, however, lacks the the “pseb:” module responsible for further lateral spread via EternalBlue, thus avoiding an infinite spreading loop,” said researchers.

Researchers added that they have witnessed “increasingly targeted attacks from this group, that, with the addition of the EternalBlue exploit, creates opportunities for effective propagation within networks once initial targets have been compromised.”

They warned that organisations should also block associated traffic in IDS systems and firewalls and block malicious messages (the primary vector for Retefe) at the email gateway.

Tony Rowan, chief security consultant at SentinelOne, told SC Media UK that as  we saw with NotPetya and WannaCry, not all users are applying patches in a timely manner so the EternalBlue exploit is still effective against many devices.” If they're not applying patches and updates, then their general IT hygiene is poor and therefore they may not have backups. An ideal target victim for ransomware.”  

“It's clear from this attack that popular exploits will be copied, shared and used by the attackers and why not? If it works why would you do extra work to create something new? The only reason to get more creative in attacks is if the old ones don't work anymore,” he said.

“This shows yet again that there are many people not applying even the basic security controls and mitigations. Relying on legacy signatures-based detection is not going to stop new or variant malware. Add to that poor vulnerability and patch management, poor untested backup strategies and you have the formula for success for ransomware and other forms of attack. Moving on to next generation end point security systems has to be a priority.”

Josh Mayfield, platform specialist, Immediate Insight at FireMon told SC Media UK that with Retefe, we are also seeing the evolution of EternalBlue right before our eyes.  “By sitting on a proxy and re-routing the traffic to scrape credentials, the typical user is less likely to notice anything is amiss.  When the communication is initiated by the user and they are taken to what appears to be the intended destination, a mere mortal may not detect they have been redirected,” he said.

Javvad Malik, security advocate at AlienVault, told SC Media UK that he doesn't think the use of EternalBlue signals a trend in the use of EternalBlue, but rather continues the trend that attackers will seek to use the tools and attacks that are easily available that can provide a good return on investment. 

“For organisations, it boils down to the basics of patching, segregating networks, monitoring for unusual activity, using threat intelligence to quickly detect known indicators of compromise, and having an incident response and recovery plan in place,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.