The Retefe banking Trojan has been around for some time, targeting Sweden, Switzerland and Japan, as previously reported by Paloalto Research.

We recently noticed Retefe campaigns targeting UK banking customers. Using fake certificates, the Trojan is designed to trick victims into giving up their login credentials and other sensitive information.

At first, the victim receives a document with an embedded malicious JavaScript file per email. The document contains a very small image with a note asking the user to double click on it to view it better. After double clicking, the malicious embedded JavaScript is executed. The document has a notice message in German, however, the Trojan banker is targeting users in UK.

The JavaScript is obfuscated with http://javascriptobfuscator.com.

After the JavaScript is run, the script kills web browsers, installs a malicious certificate and changes the proxy auto-config to link to a website on Tor.

The warning message below regarding a certificate installation is briefly displayed, but then disappears.

To make the message disappear, the JavaScript document also drops and executes a powershell script, which enumerates all the windows with class “”#32770 which is “The class for a dialog box”. If the window belongs to csrss or certutil processes, BM_CLICK message is sent to them, which simulates a user clicking “Yes”.

Looking at Chrome’s HTTPS/SSL -> “Manage certificates…” menu, under “Trusted Root Certification Authorities”, we can see a certificate with a suspicious Issuer, “me@myhost.mydomain”.

If we scroll down to the certificate details, we see the sha1 certificate thumbprint, which is an exact match to the thumbprint in the security warning displayed above.

The certificate is stored in the registry in: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\34E6D8C4F9F4448AC7B3B713E3A093BDF78436D9

The victim’s proxy settings are modified, as seen in registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL value.

At this moment, the IP address matters. If the IP address is a non-UK IP address, an error message is shown and a proxy configuration is not served and, therefore, the victim is not redirected while browsing.

However, if a UK IP address is found, the proxy auto-config script is run.

After deobfuscating the code, we can see the list of targeted online banking systems and a malicious proxy that is used when users visit a website that matches patterns from the list below.

You may notice a ‘*.com’ and ‘*.co.uk’. These are not specific banking websites, but whenever a victim goes to any of these websites, the traffic goes through the malicious proxy. Because the script installed the malicious root certificate, attackers may issue a certificate for any website, sign it with this malicious root certificate and the system will automatically trust it. This is used to run the man-in-the-middle attack and decrypt the encrypted communication. It means that the attackers can see all the credentials going through their malicious proxy.

Let’s have a look at the malicious certificate for Barclays Bank. On both clean and infected machines, bank.barclays.co.uk has the green padlock icon saying that “Your connection to this site is private”. However, if we look at the certification path, on a clean machine (left image in the figure below), we can see the certificate path for bank.barclays.co.uk starts with Verisign, which is legit. On an infected machine, however, we can see the previously installed malicious certificate (right image in the figure below).

All affected UK banks already know about the Trojan, and warn their customers on their sites of the danger.

When infected users visit Barclays’ banking site, they are sent directly to a fake HTTPS login site that requires login credentials and/or additional personal data. If we compare the fake site to the original there is not much of a difference. This means unsuspecting victims can easily be fooled, unless they check the certificate validation.

Fake Barclays site

Clean, original site

When a victim enters their credentials on the fake site, a counter appears to hold the user on the site. This behavior is common for sites affected by this banker Trojan. The banker Trojan, despite taking its sweet time, doesn’t validate any of data entered like a legitimate banking site does.

Fake site with counter

Legitimate Nwolb site, warning customers of Retefe

Fake Nwolb site

Fake Nwolb site with incorrect Customer number

This type of malware is a serious threat for unaware users, because most people trust the certificate signs on HTTPS sites and, therefore, do not verify the certificate’s issuer. This makes it easy for  the Retefe banker Trojan to steal important data and money.

SHAs:

0CF2C0165CDC3962AD8C3AC27258FDAB4DCECB7121BA97856B66D22FD77AEFCA

1166CE980F783C5BA18FD1904E00350DD3D25C19E64674816A1B35DA4319AE54

50F729589FA850ADE5834DD7FCD5F354F35B4515C8ECABBFF91DE3CEB45DE052

5A578CCB2B1051273222359BF4CA18B8788DF8F98A70CB0A8A354029AD7A9856

629DB885C944187DD0A71715C7FEF929E38F1927BC19182122EA1B594397A9BD

Acknowledgements

We would like to thank to @roskyfrosky and @benkow_ for their tips and advice.

Special thanks to my colleague, Jan Sirmer, for his cooperation on this analysis.