Retefe Banking Trojan after Customers of UK Banks NatWest, Barclays, HSBC

Retefe Banking Trojan after Customers of UK Banks NatWest, Barclays, HSBC


Banking Trojans and ransomware are the top financial cyber threats, currently putting millions of users at risk. Besides the emergence of brand new threats, security researchers also observe already known and detected ones reemerging with updated code and capabilities.

Threat Summary

NameRetefe Banking Trojan
TypeBanking Trojan
Short DescriptionThe banking Trojan is set on a new malicious operation currently targeting UK banks
SymptomsMalicious email is sent, a fake certificate is installed claiming to be from Comodo. See article for more details
Distribution MethodSpam Emails
Detection Tool See If Your System Has Been Affected by Retefe Banking Trojan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Retefe Banking Trojan.

Retefe banking Trojan’s intensive campaigns were detected in October 2014 and August 2015. The banker is active once again, with new updates and set of skills. Retefe’s latest campaign is targeting banking customer in the United Kingdom. The Trojan is now using fake certificates to lure potential victims in revealing their login credentials and personal details, as reported by Avast researchers.

Related: Telax 4.7 Banking Trojan

A Look into Retefe Baking Trojan’s Attack Scenario

Like in most ransomware and malware cases, the attack is triggered by the opening of a document, which has malicious and obfuscated JavaScript embedded and is sent via email. The document contains a small image with a note prompting the user to double click it so to view it better. It’s interesting that the prompt is written in German even though the Trojan is targeting English speaking users.


After the JavaScript is activated, the script will kill web browsers, install a malicious certificate and change the proxy auto-config to link to a website hosted on Tor.

Then, a short message is displayed regarding a certificate installation but it quickly disappears. Even though the certificate appears to be from Comodo, it is issued by “[email protected],” and has nothing to do with the anti-virus company.


To make the message disappear, the JavaScript document also drops and executes a powershellscript, which enumerates all the windows with class “#32770” which is “The class for a dialog box”. If the window belongs to csrss or certutil processes, BM_CLICK message is sent to them, which simulates a user clicking “Yes”.

Looking at Chrome’s HTTPS/SSL -> “Manage certificates…” menu, under “Trusted Root Certification Authorities”, we can see a certificate with a suspicious Issuer, “[email protected]”.

The certificate is located in the registry in: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\34E6D8C4F9F4448AC7B3B713E3A093BDF78436D9

Retefe Banking Trojan Modifies the User’s Proxy Settings

While installing the root certificate claiming to be from Comodo (see above image), Retefe is also setting up a proxy connection to redirect traffic through a Tor website.

Current targets of the Trojan are customers of several UK banks:

  • NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury’s Bank, Tesco Bank, Cahoot,

However, generic traffic going to .com and domains is also targeted.

How Can Retefe Banking Trojan Be Removed?

Considering the malicious and devastating nature of Retefe, its removal should be done via a professional anti-malware program. However, advanced users can try and remove the threat with the help of the steps below the article.

Manually delete Retefe Banking Trojan from your computer

Note! Substantial notification about the Retefe Banking Trojan threat: Manual removal of Retefe Banking Trojan requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Retefe Banking Trojan files and objects.
2. Find malicious files created by Retefe Banking Trojan on your PC.
3. Fix registry entries created by Retefe Banking Trojan on your PC.

Automatically remove Retefe Banking Trojan by downloading an advanced anti-malware program

1. Remove Retefe Banking Trojan with SpyHunter Anti-Malware Tool
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.