Saturday, April 13, 2024

Advanced Retefe Banking Malware Attack on Windows and Mac Users via Weaponized Word Documents

Researchers discovered a new wave of sophisticated banking malware called Retefe that targeting Windows and Mac users financial data by routing the online banking traffic via proxy.

Retefe malware initially appeared in 2018, since then it targets victims who reside in various countries including Swiss and German especially in April 2019.

Unlike some of the other malware that uses Tor for encryption traffic, Retelfe Malware using a proxy called Stunnel for C2 server communication that adds TLS encryption functionality to the infected system without any changes in the programs’ code.

Malware authors abusing an application known as ” “Convert PDF to Word Plus 1.0” and add malicious python scripts that packaged as an executable script and archived with the help of UPX packing engine.

Researchers first discovered abused shareware application in a public malware repository that hosted in compromised domain[.]exe

Retefe malware Infection Process

Initially, once the victims execute the file, the executable has been unpacked, unpackaged, and decompiled.

It writes two different files (convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe ) in the victim’s machines into the %TEMP% directory and executes them.

Researchers believe that convert-pdf-to-word-plus.exe file is a legitimate installer for the “Convert PDF to Word Plus” application and is executed as a decoy.

In this case, Convert-pdf-to-word-plus_driver.exe was identified as a malicious loader that drops and extract the Zip file and the stunnel from its package then decrypts and executes the main Retefe JavaScript code.

Researchers also observed that the Retefe malware being delivered through Smoke Loader via Object Linking and Embedding (OLE) package

According to Proof point research, t is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes. Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than stunnel, which would appear as any other outbound SSL connection.

Previous Retefe malware campaign targets the Windows hosts but the current campaigns targeting macOS using developer-signed versions of fake Adobe Installers in order to deliver their payloads.

“By using signed binaries, actors attempt to bypass the macOS internal Gatekeeper security application, which checks if applications are signed by a valid developer certificate before running. “

Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking Trojans.

Liveware, Malware authors are developing malware with a very innovative technique to infect the target and steal various personal and financial information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

WannaCry Hero Marcus Hutchins(MalwareTech) Pleads Guilty to Developing a Banking Malware

Hackers Deliver Banking Malware Through Password Protected ZIP File

Organized Cybercrime – Hacker Groups Work Together To Distribute Banking Malware Globally

Fileless Banking Malware Steals User Credentials, Outlook Contacts, and Installs Hacking Tool


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles