Researchers discovered a new wave of sophisticated banking malware called Retefe that targeting Windows and Mac users financial data by routing the online banking traffic via proxy.
Retefe malware initially appeared in 2018, since then it targets victims who reside in various countries including Swiss and German especially in April 2019.
Unlike some of the other malware that uses Tor for encryption traffic, Retelfe Malware using a proxy called Stunnel for C2 server communication that adds TLS encryption functionality to the infected system without any changes in the programs’ code.
Malware authors abusing an application known as ” “Convert PDF to Word Plus 1.0” and add malicious python scripts that packaged as an executable script and archived with the help of UPX packing engine.
Researchers first discovered abused shareware application in a public malware repository that hosted in compromised domain http://lettercreate.com/unipdf/convert-pdf-to-word-plus[.]exe
Retefe malware Infection Process
Initially, once the victims execute the file, the executable has been unpacked, unpackaged, and decompiled.
It writes two different files (convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe ) in the victim’s machines into the %TEMP% directory and executes them.
Researchers believe that convert-pdf-to-word-plus.exe file is a legitimate installer for the “Convert PDF to Word Plus” application and is executed as a decoy.
Researchers also observed that the Retefe malware being delivered through Smoke Loader via Object Linking and Embedding (OLE) package
According to Proof point research, t is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes. Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than stunnel, which would appear as any other outbound SSL connection.
Previous Retefe malware campaign targets the Windows hosts but the current campaigns targeting macOS using developer-signed versions of fake Adobe Installers in order to deliver their payloads.
“By using signed binaries, actors attempt to bypass the macOS internal Gatekeeper security application, which checks if applications are signed by a valid developer certificate before running. “
Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking Trojans.
Liveware, Malware authors are developing malware with a very innovative technique to infect the target and steal various personal and financial information.