Following the massive campaigns in August 2015 and October 2014, the developers of Retefe banking trojan have updated their code and added several new features to the malware’s mode of operation.
As soon as users open the document and double-click an image embedded inside it, the JS code does two things – downloads and installs a rogue root certificate first, and changes the operating system’s proxy auto-config settings after that.
After installing the root certificate, users hardly can see the popup which asks them to confirm the action, due to the fact that Retefe uses a PowerShell script to automatically click yes in this popup.
Security experts from Avast have figured out the latest trick of Retefe, and according to them, the popup asks the user to approve the installation of a root certificate which claims to be from Comodo. Actually, Avast explains that the certificate is issued by “email@example.com” and has nothing to do with Comodo.
During the time when the above-mentioned is happening, Retefe is setting up a proxy connection, which will redirect some traffic through a Tor website.
The hackers target a few UK banks (NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury’s Bank, Tesco Bank, Cahoot, IF.com), but also generic traffic going to *.com, *.co.uk domains.
According to Avast, the intermediary point on the Tor network only accepts connections from a UK IP address, showing that hackers are only interested in users based in the UK.
The root certificate and the proxy settings allow the attackers to hijack the user’s traffic through their own server. This way, they can detect when the user is trying to access a banking portal, and provide them with a fake website instead, showing a valid HTTPS connection, but which is working on a rogue certificate.
Cyber criminals use this access to log the user’s login credentials using credential phishing pages, made to look like the original banking portals.
“This type of malware is a serious threat for unaware users, because most people trust the certificate signs on HTTPS sites and, therefore, do not verify the certificate’s issuer,” the Avast’s Jaromír Hořejší states. “This makes it easy for the Retefe banker Trojan to steal important data and money.”