After aggressive campaigns in October 2014 and August 2015, the crooks behind the Retefe banking trojan have made updates to their code and added new tricks to the malware’s mode of operation.
When users open the document and double-click an image embedded inside it, the JS code does two things. It first downloads and installs a rogue root certificate, and then changes the operating system’s proxy auto-config settings.
Retefe adds its own root certificate, changes proxy settings
When installing the root certificate, users barely get a glimpse at a popup that asks them to confirm the action, because the trojan uses a PowerShell script to automatically click yes in this popup.
Avast researchers have broken down Retefe’s most recent trick, and they say the popup (seen below) asks the user to approve the installation of a root certificate that claims to be from Comodo. In fact, Avast says the certificate is issued by “email@example.com,” and has nothing to do with Comodo.
While all this is happening, Retefe is also setting up a proxy connection, which will redirect some traffic through a Tor website.
Crooks target a few UK banks (NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury’s Bank, Tesco Bank, Cahoot, IF.com), but also generic traffic going to *.com, *.co.uk domains.
For this campaign, Retefe only targets UK users
that this intermediary point on the Tor network only accepts connections from a UK IP address, showing that crooks are only interested in users living in the UK.
The root certificate and the proxy settings allow the crooks to hijack the user’s traffic through their own server. This way, they can detect when the user is trying to access a banking portal, and provide him with a fake website instead, showing a valid HTTPS connection, but which is working on a rogue certificate.
Crooks use this access to log the user’s login credentials using credential phishing pages, made to look like the original banking portals.
Retefe used this same trick last year
In Retefe’scampaign, crooks only targeted nine Japanese banks, and they used a similar man-in-the-middle (MiTM) attack, but by changing the user’s DNS settings.
In, the trojan also started targeting users in Sweden and Switzerland but began using this very same proxy hijacking and root certificate trick described above.
“This type of malware is a serious threat for unaware users, because most people trust the certificate signs on HTTPS sites and, therefore, do not verify the certificate’s issuer,” Avast’s Jaromír Hořejší writes. “This makes it easy for the Retefe banker Trojan to steal important data and money.”