Retefe Banking Trojan after Customers of UK Banks NatWest, Barclays, HSBC

Retefe Banking Trojan after Customers of UK Banks NatWest, Barclays, HSBC

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


Banking Trojans and ransomware are the top financial cyber threats, currently putting millions of users at risk. Besides the emergence of brand new threats, security researchers also observe already known and detected ones reemerging with updated code and capabilities.

Threat Summary

NameRetefe Banking Trojan
TypeBanking Trojan
Short DescriptionThe banking Trojan is set on a new malicious operation currently targeting UK banks
SymptomsMalicious email is sent, a fake certificate is installed claiming to be from Comodo. See article for more details
Distribution MethodSpam Emails
Detection Tool See If Your System Has Been Affected by Retefe Banking Trojan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Retefe Banking Trojan.

Retefe banking Trojan’s intensive campaigns were detected in October 2014 and August 2015. The banker is active once again, with new updates and set of skills. Retefe’s latest campaign is targeting banking customer in the United Kingdom. The Trojan is now using fake certificates to lure potential victims in revealing their login credentials and personal details, as reported by Avast researchers.

Related: Telax 4.7 Banking Trojan

A Look into Retefe Baking Trojan’s Attack Scenario

Like in most ransomware and malware cases, the attack is triggered by the opening of a document, which has malicious and obfuscated JavaScript embedded and is sent via email. The document contains a small image with a note prompting the user to double click it so to view it better. It’s interesting that the prompt is written in German even though the Trojan is targeting English speaking users.


After the JavaScript is activated, the script will kill web browsers, install a malicious certificate and change the proxy auto-config to link to a website hosted on Tor.

Then, a short message is displayed regarding a certificate installation but it quickly disappears. Even though the certificate appears to be from Comodo, it is issued by “me@myhost.mydomain,” and has nothing to do with the anti-virus company.


To make the message disappear, the JavaScript document also drops and executes a powershellscript, which enumerates all the windows with class “#32770” which is “The class for a dialog box”. If the window belongs to csrss or certutil processes, BM_CLICK message is sent to them, which simulates a user clicking “Yes”.

Looking at Chrome’s HTTPS/SSL -> “Manage certificates…” menu, under “Trusted Root Certification Authorities”, we can see a certificate with a suspicious Issuer, “me@myhost.mydomain”.

The certificate is located in the registry in: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\34E6D8C4F9F4448AC7B3B713E3A093BDF78436D9

Retefe Banking Trojan Modifies the User’s Proxy Settings

While installing the root certificate claiming to be from Comodo (see above image), Retefe is also setting up a proxy connection to redirect traffic through a Tor website.

Current targets of the Trojan are customers of several UK banks:

  • NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury’s Bank, Tesco Bank, Cahoot,

However, generic traffic going to .com and domains is also targeted.

How Can Retefe Banking Trojan Be Removed?

Considering the malicious and devastating nature of Retefe, its removal should be done via a professional anti-malware program. However, advanced users can try and remove the threat with the help of the steps below the article.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share