Monday, July 15, 2024

Advanced Retefe Banking Malware Attack on Windows and Mac Users via Weaponized Word Documents

Researchers discovered a new wave of sophisticated banking malware called Retefe that targeting Windows and Mac users financial data by routing the online banking traffic via proxy.

Retefe malware initially appeared in 2018, since then it targets victims who reside in various countries including Swiss and German especially in April 2019.

Unlike some of the other malware that uses Tor for encryption traffic, Retelfe Malware using a proxy called Stunnel for C2 server communication that adds TLS encryption functionality to the infected system without any changes in the programs’ code.

Malware authors abusing an application known as ” “Convert PDF to Word Plus 1.0” and add malicious python scripts that packaged as an executable script and archived with the help of UPX packing engine.

Researchers first discovered abused shareware application in a public malware repository that hosted in compromised domain[.]exe

Retefe malware Infection Process

Initially, once the victims execute the file, the executable has been unpacked, unpackaged, and decompiled.

It writes two different files (convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe ) in the victim’s machines into the %TEMP% directory and executes them.

Researchers believe that convert-pdf-to-word-plus.exe file is a legitimate installer for the “Convert PDF to Word Plus” application and is executed as a decoy.

In this case, Convert-pdf-to-word-plus_driver.exe was identified as a malicious loader that drops and extract the Zip file and the stunnel from its package then decrypts and executes the main Retefe JavaScript code.

Researchers also observed that the Retefe malware being delivered through Smoke Loader via Object Linking and Embedding (OLE) package

According to Proof point research, t is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes. Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than stunnel, which would appear as any other outbound SSL connection.

Previous Retefe malware campaign targets the Windows hosts but the current campaigns targeting macOS using developer-signed versions of fake Adobe Installers in order to deliver their payloads.

“By using signed binaries, actors attempt to bypass the macOS internal Gatekeeper security application, which checks if applications are signed by a valid developer certificate before running. “

Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking Trojans.

Liveware, Malware authors are developing malware with a very innovative technique to infect the target and steal various personal and financial information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

WannaCry Hero Marcus Hutchins(MalwareTech) Pleads Guilty to Developing a Banking Malware

Hackers Deliver Banking Malware Through Password Protected ZIP File

Organized Cybercrime – Hacker Groups Work Together To Distribute Banking Malware Globally

Fileless Banking Malware Steals User Credentials, Outlook Contacts, and Installs Hacking Tool


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles