Banking Trojans and ransomware are the top financial cyber threats, currently putting millions of users at risk. Besides the emergence of brand new threats, security researchers also observe already known and detected ones reemerging with updated code and capabilities.
|Name||Retefe Banking Trojan|
|Short Description||The banking Trojan is set on a new malicious operation currently targeting UK banks|
|Symptoms||Malicious email is sent, a fake certificate is installed claiming to be from Comodo. See article for more details|
|Distribution Method||Spam Emails|
|Detection Tool|| See If Your System Has Been Affected by Retefe Banking Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Retefe Banking Trojan.|
Retefe banking Trojan’s intensive campaigns were detected in October 2014 and August 2015. The banker is active once again, with new updates and set of skills. Retefe’s latest campaign is targeting banking customer in the United Kingdom. The Trojan is now using fake certificates to lure potential victims in revealing their login credentials and personal details, as reported by Avast researchers.
Related: Telax 4.7 Banking Trojan
A Look into Retefe Baking Trojan’s Attack Scenario
Then, a short message is displayed regarding a certificate installation but it quickly disappears. Even though the certificate appears to be from Comodo, it is issued by “[email protected],” and has nothing to do with the anti-virus company.
Looking at Chrome’s HTTPS/SSL -> “Manage certificates…” menu, under “Trusted Root Certification Authorities”, we can see a certificate with a suspicious Issuer, “[email protected]”.
The certificate is located in the registry in: HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\34E6D8C4F9F4448AC7B3B713E3A093BDF78436D9
Retefe Banking Trojan Modifies the User’s Proxy Settings
While installing the root certificate claiming to be from Comodo (see above image), Retefe is also setting up a proxy connection to redirect traffic through a Tor website.
Current targets of the Trojan are customers of several UK banks:
- NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury’s Bank, Tesco Bank, Cahoot, IF.com
However, generic traffic going to .com and .co.uk domains is also targeted.
How Can Retefe Banking Trojan Be Removed?
Considering the malicious and devastating nature of Retefe, its removal should be done via a professional anti-malware program. However, advanced users can try and remove the threat with the help of the steps below the article.