Friday, November 1, 2024
HomeCyber AttackAdvanced Retefe Banking Malware Attack on Windows and Mac Users via Weaponized...

Advanced Retefe Banking Malware Attack on Windows and Mac Users via Weaponized Word Documents

Published on

Malware protection

Researchers discovered a new wave of sophisticated banking malware called Retefe that targeting Windows and Mac users financial data by routing the online banking traffic via proxy.

Retefe malware initially appeared in 2018, since then it targets victims who reside in various countries including Swiss and German especially in April 2019.

Unlike some of the other malware that uses Tor for encryption traffic, Retelfe Malware using a proxy called Stunnel for C2 server communication that adds TLS encryption functionality to the infected system without any changes in the programs’ code.

- Advertisement - SIEM as a Service

Malware authors abusing an application known as ” “Convert PDF to Word Plus 1.0” and add malicious python scripts that packaged as an executable script and archived with the help of UPX packing engine.

Researchers first discovered abused shareware application in a public malware repository that hosted in compromised domain http://lettercreate.com/unipdf/convert-pdf-to-word-plus[.]exe

Retefe malware Infection Process

Initially, once the victims execute the file, the executable has been unpacked, unpackaged, and decompiled.

It writes two different files (convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe ) in the victim’s machines into the %TEMP% directory and executes them.

Researchers believe that convert-pdf-to-word-plus.exe file is a legitimate installer for the “Convert PDF to Word Plus” application and is executed as a decoy.

In this case, Convert-pdf-to-word-plus_driver.exe was identified as a malicious loader that drops and extract the Zip file and the stunnel from its package then decrypts and executes the main Retefe JavaScript code.

Researchers also observed that the Retefe malware being delivered through Smoke Loader via Object Linking and Embedding (OLE) package

According to Proof point research, t is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes. Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than stunnel, which would appear as any other outbound SSL connection.

Previous Retefe malware campaign targets the Windows hosts but the current campaigns targeting macOS using developer-signed versions of fake Adobe Installers in order to deliver their payloads.

“By using signed binaries, actors attempt to bypass the macOS internal Gatekeeper security application, which checks if applications are signed by a valid developer certificate before running. “

Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking Trojans.

Liveware, Malware authors are developing malware with a very innovative technique to infect the target and steal various personal and financial information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

WannaCry Hero Marcus Hutchins(MalwareTech) Pleads Guilty to Developing a Banking Malware

Hackers Deliver Banking Malware Through Password Protected ZIP File

Organized Cybercrime – Hacker Groups Work Together To Distribute Banking Malware Globally

Fileless Banking Malware Steals User Credentials, Outlook Contacts, and Installs Hacking Tool

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...