The Retefe banking trojan resurfaced in April after going dormant for months, with a makeover that includes a move away from Tor to secure its communications as well as the abuse of a legitimate shareware application.
Retefe has always stood out from other banking trojans, with a consistent regional focus in Austria, Sweden, Switzerland, Japan and the United Kingdom, researchers said, as well as its penchant for eschewing web injection as its attack vector.
“Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking trojans,” Proofpoint researchers said in a technical post on Thursday, analyzing the trojan’s reemergence.
While Proofpoint said that it popped up in a few campaigns in 2018, Retefe has been largely quiet for the past year or so; the last major analysis of the trojan stemmed from an uptick in activity in 2017, when it added the NSA exploit EternalBlue to its arsenal in order to carry out the SMBv1 attack against a patched Windows vulnerability.
In the latest campaign, waged against Swiss and German Mac and Windows users throughout April, Retefe has shown another significant change, by booting the Tor network from its operations. In the past, Tor was its go-to for proxy redirections as well as connections to the command-and-control (C2) server. Now, its operators have opted to incorporate an application called stunnel into the proceedings.
Stunnel is an open-source multi-platform application used to provide a universal TLS/SSL encrypted tunneling service, even for clients or servers that do not speak TLS or SSL natively.
“Retefe extracts stunnel via a compressed archive in place of the usual TOR Socat proxy,” Proofpoint researchers said. “We suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes.”
Tor is also a “noisier” protocol, the researchers noted – and “thus would be easier to detect in an enterprise environment than stunnel, which would appear as any other outbound SSL connection.”
Abused Shareware and Installation Improvements
Aside from the decision to drop Tor, Retefe’s authors have also tweaked the malware’s delivery approaches, including abusing a legitimate shareware application as part of the trojan’s installation stack.
But this isn’t the only installation approach in Retefe’s bag of tricks. In one campaign that Proofpoint observed in Switzerland in April, the spam emails instead used an Object Linking and Embedding (OLE) package to deliver Smoke Loader – another new wrinkle for the malware.
Researchers said that Smoke Loader is being employed as the malware’s intermediate dropper, going on to download Retefe and a PowerShell script with the content required for Retefe persistence, including the scheduled tasks for 7-Zip and stunnel.
Meanwhile on the macOS side, the latest campaigns are using developer-signed versions of fake Adobe Installers in order to deliver their payloads, Proofpoint said, in a continuation of an approach first seen last year.
“By using signed binaries, actors attempt to bypass the macOS internal Gatekeeper security application, which checks if applications are signed by a valid developer certificate before running,” Proofpoint researchers said.
Like Emotet, the infamous banking trojan that has consistently evolved beyond its banking roots to becoming a full-service malware delivery platform, the evolution of Retefe shows ongoing innovation on the malware development front when it comes to banking trojans. Retefe is proving to be agile and consistently effective, researchers said.
“Developers appear to have updated key features of the Trojan and are employing new distribution mechanisms…after a fairly lengthy absence from the landscape,” according to Proofpoint. “As with many types of malware, developers continue to innovate, identifying new, more effective ways to infect victims and steal personal information to better monetize their attacks.”