Retefe Banking Trojan after Customers of UK Banks NatWest, Barclays, HSBC
THREAT REMOVAL

Retefe Banking Trojan after Customers of UK Banks NatWest, Barclays, HSBC

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Retefe Banking Trojan and other threats.
Threats such as Retefe Banking Trojan may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

trojan

Banking Trojans and ransomware are the top financial cyber threats, currently putting millions of users at risk. Besides the emergence of brand new threats, security researchers also observe already known and detected ones reemerging with updated code and capabilities.

Threat Summary

NameRetefe Banking Trojan
TypeBanking Trojan
Short DescriptionThe banking Trojan is set on a new malicious operation currently targeting UK banks
SymptomsMalicious email is sent, a fake certificate is installed claiming to be from Comodo. See article for more details
Distribution MethodSpam Emails
Detection Tool See If Your System Has Been Affected by Retefe Banking Trojan

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Retefe Banking Trojan.

Retefe banking Trojan’s intensive campaigns were detected in October 2014 and August 2015. The banker is active once again, with new updates and set of skills. Retefe’s latest campaign is targeting banking customer in the United Kingdom. The Trojan is now using fake certificates to lure potential victims in revealing their login credentials and personal details, as reported by Avast researchers.

Related: Telax 4.7 Banking Trojan

A Look into Retefe Baking Trojan’s Attack Scenario

Like in most ransomware and malware cases, the attack is triggered by the opening of a document, which has malicious and obfuscated JavaScript embedded and is sent via email. The document contains a small image with a note prompting the user to double click it so to view it better. It’s interesting that the prompt is written in German even though the Trojan is targeting English speaking users.

malicious-doc-avast-stforum

After the JavaScript is activated, the script will kill web browsers, install a malicious certificate and change the proxy auto-config to link to a website hosted on Tor.

Then, a short message is displayed regarding a certificate installation but it quickly disappears. Even though the certificate appears to be from Comodo, it is issued by “[email protected],” and has nothing to do with the anti-virus company.

comodo-fake-security-certificate-retefe-avast-stforum

To make the message disappear, the JavaScript document also drops and executes a powershellscript, which enumerates all the windows with class “#32770” which is “The class for a dialog box”. If the window belongs to csrss or certutil processes, BM_CLICK message is sent to them, which simulates a user clicking “Yes”.

Looking at Chrome’s HTTPS/SSL -> “Manage certificates…” menu, under “Trusted Root Certification Authorities”, we can see a certificate with a suspicious Issuer, “[email protected]”.

The certificate is located in the registry in: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\34E6D8C4F9F4448AC7B3B713E3A093BDF78436D9

Retefe Banking Trojan Modifies the User’s Proxy Settings

While installing the root certificate claiming to be from Comodo (see above image), Retefe is also setting up a proxy connection to redirect traffic through a Tor website.

Current targets of the Trojan are customers of several UK banks:

  • NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury’s Bank, Tesco Bank, Cahoot, IF.com

However, generic traffic going to .com and .co.uk domains is also targeted.

How Can Retefe Banking Trojan Be Removed?

Considering the malicious and devastating nature of Retefe, its removal should be done via a professional anti-malware program. However, advanced users can try and remove the threat with the help of the steps below the article.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...