The evolution of the Retefe banking Trojan

The Retefe Trojan is now also targeting Smile banking customers. The Trojan has evolved and includes new malicious components.

Three weeks ago, we published a blog post about the Retefe banking Trojan, which targeted banking customers in the United Kingdom. The Trojan steals login credentials and other personal information. Retefe is usually spread via a phishing email. The email contains a document, which is embedded with malicious JavaScript and user interaction is needed to activate the Trojan.

Another UK bank, the Smile online bank, has recently been added to the list of affected banks.

The main behavior of the Trojan has largely remained unchanged, with the exception of its malicious components. The infection vector, as well as the installation of the malicious certificate, are the same as we reported in our last blog post.

Once the JavaScript runs it attempts to kill open Web browser processes. It then installs a fake certificate and changes the proxy auto-config URL. All scripts are obfuscated with the Dean Edwards packer. This behavior is similar to the previous version of Retefe.

The JavaScript, however, now contains three powershell scripts, two of which are the same as in the previous version. ConfirmCert clicks “OK” in the window displayed during the installation of the rogue certificate and AddCertFF adds the rogue certificate to FireFox. InstallTP is the new powershell script. It downloads and installs three programs: Task Scheduler wrapper, Tor and Proxifier.

The Task Scheduler Managed Wrapper is downloaded from Codeplex. This adds the option to use the object “New-Object Microsoft.Win32.TaskScheduler.TaskService”, which is later used for establishing persistence.

The Tor client gives the Trojan the possibility to access .onion domains directly.

Proxifier, as stated on their website, “allows network applications that do not support working through proxy servers to operate through a SOCKS or HTTPS proxy and chains.”.

The AutoConfigURL contains a link to a .onion domain and it can be reached now because Tor was, installed.

AutoConfig URL Retefe.png

The Tor client is a console application and, if executed normally, it’s console window can be  seen by the user. However, the victim can’t see the window on an infected machine, because Tor’s window is hidden. Retefe calls
ShowWindow with the parameter nCmdShow set to value SW_HIDE, thus hiding the window from the victim.

Similar to the previous version of Retefe, proxy configuration is served only to systems with UK IP addresses. If any of the previous banks or the newly added bank are accessed, the traffic is routed via malicious proxy. This proxy is hidden behind Tor, as can be seen below.

Retefe Trojan proxy configuration.png

When a user visits one of the websites from the list of targeted websites, the site’s certificate is replaced with a fake. This allows attackers to camouflage the infection and to get the victim's login credentials. Below you can see a fake version of the of Smile bank website, which has been added with this version of the Trojan.

Smile bank Retefe Trojan.png

Fake Smile banking website

Smile bank Retefe Trojan2.png

Fake Smile banking website

Smile bank Retefe Trojan3.png

Fake Smile banking website

Fake Smile website certificate.png

Fake Smile banking website certificate

The newly added powershell script, InstallTP  adds persistence. We can see two malicious tasks in the Task Scheduler. They are  “AdobeFlashPlayerUpdate” and “GoogleUpdate Task” tasks, which are executed every 30 minutes and execute both Tor and Proxifier. Even if the user were to stop them, they would restart again in 30 minutes.

InstallTP powershell script Task Scheduler.png

Proxifier allows all traffic to run through a Tor proxy running on a localhost on port 9050. It can specify, which targets should be accessed via proxy and which ones should be accessed directly.

proxy Retefe Trojan.png

For example, when we visit it shows us that our IP address was not changed (Action: Direct) and is still located in UK, but when we go to it shows us a slightly different results.

IP address changed Retefe Trojan.png

When we looked into the setting file, we found that the attackers are using a cracked version of Proxifier.

Proxifier crack Retefe Trojan.png

We assume this is not the last time we will be seeing the Retefe banking Trojan evolve, not only in the UK, but also globally. The biggest danger of attacks using fake certificates, is convincing users that they are completely safe, because of valid HTTPS certificates are used.













Special thanks to my colleague, Jan Sirmer, for his cooperation on this analysis.

--> -->