The malicious program Retefe is used to compromise online banking users.
A malicious program called Retefe specializes in compromising users of various banks, including Tesco Bank. Customers of this bank have recently been subjected to massive account compromise. Retefe is used by cybercriminals to steal online banking data, which can then be used to perform fraudulent transactions.
According to the BBC news portal, over the weekend there were about 40 thousand suspicious banking transactions, and half of them accounted for the illegal withdrawal of funds. Later, representatives of Tesco Bank confirmed that as a result of the compromise, about 9 thousand bank customers suffered.
Security experts Tesco Bank decided to temporarily block the possibility of conducting transactions using online banking. At the same time, such functions of the bank’s clients as cash withdrawals, payments using the card chip and its PIN code, as well as other operations related to the payment of bills remained active.
Analysis of malware instances by ESET analysts shows that it is aimed at compromising banks from a rather long list of different countries of the world. Note that the malicious campaign began, at least as early as February 2016. Please note that the Retefe malware has been actively used by attackers before this campaign, but the attackers used other methods to spread it.
')
In the case of an attempt to connect a user to an online banking system from a malware list on a compromised system, Retefe modifies the webpage of the online banking site and tries to steal confidential login data.
The initial malware infection occurs through a file that is written in JavaScript and is detected by ESET antivirus products as JS / Retefe . The attackers chose the attachment method of e-mail messages as a mechanism for its distribution, disguising it as an invoice, order notification, etc. After launch, it installs several of its components into the system, including the Tor anonymous network service. These malicious components are used to configure a proxy server when working with banking websites.
When a user attempts to access an online banking site, he is secretly redirected to a fake copy of this website. Retefe also adds to the system a fake root digital certificate that is disguised as legitimate. For disguise, fake information is used that the certificate was issued and confirmed by a well-known Comodo certification authority. This technique greatly complicates the detection of malicious activity by the user. It is obvious that this problem has nothing to do with the security of a particular bank.
Malware code can successfully compromise all major web browsers, including Internet Explorer, Mozilla Firefox and Google Chrome. In some cases, Retefe tried to convince the user to install a mobile component that is detected by ESET antivirus products like Android / Spy.Banker.EZ . This mobile component is used to bypass two-factor 2FA authentication. Below are screenshots of this mobile component.
ESET analysts have also analyzed another variant of the malware, which is detected as JS / Retefe.B . This modification uses a rather cumbersome method of accessing the Tor anonymous network. It consists not in using the Tor network directly, but through the Tor2Web service.
Retefe was under the lens of antivirus researchers earlier, when at the beginning of this year the malware was actively used to compromise UK banks. Since then, the authors have added a mobile component to it, and also expanded the list of goals.
Users of online banking services that are listed below are recommended to manually check for the following indicators of compromise by malware, or use the following ESET web page for verification.
One indicator of compromise is the presence of a fake root digital certificate that was allegedly issued by a Comodo certification authority. In this case, the e-mail address of the issuing organization corresponds to the address me@myhost.mydomain.
For the Mozilla Firefox web browser, open the certificate manager .
For other web browsers, the presence of the certificate can be checked using the Microsoft Management Console (MMC).
We observed two such fake certificates, information about which is presented below.
Another indicator of compromise is the presence in the system of a malicious script Proxy Automatic Configuration (PAC) , which points to the next .onion domain.
In this case, the% onionDomain% variable is an onion domain, arbitrarily selected from the configuration file. The variable% random% is a string of eight characters from the alphabet A-Za-z0-9. % publicIP% indicates a public address. An example of such a link is presented below.
Indicator of compromise is also the presence on the device running Android malware Android / Spy.Banker.EZ .
In the event that a Retefe malware infects a system, the following steps must be taken to eliminate this infection.
1. If you used one of the online banking systems that the malware was aimed at compromising, change your password to access the online banking account, and also check for the presence of illegitimate transactions with your bank account.
2. Remove the Proxy Automatic Configuration (PAC) script from the system.
3. Remove the above-mentioned digital certificate from the system.
4. As a proactive protection, use a reliable security tool with the function of ensuring the security of online banking operations.
Below is a list of online banking websites that Retefe aims to compromise.
According to the BBC news portal, over the weekend there were about 40 thousand suspicious banking transactions, and half of them accounted for the illegal withdrawal of funds. Later, representatives of Tesco Bank confirmed that as a result of the compromise, about 9 thousand bank customers suffered.
Security experts Tesco Bank decided to temporarily block the possibility of conducting transactions using online banking. At the same time, such functions of the bank’s clients as cash withdrawals, payments using the card chip and its PIN code, as well as other operations related to the payment of bills remained active.
Analysis of malware instances by ESET analysts shows that it is aimed at compromising banks from a rather long list of different countries of the world. Note that the malicious campaign began, at least as early as February 2016. Please note that the Retefe malware has been actively used by attackers before this campaign, but the attackers used other methods to spread it.
')
In the case of an attempt to connect a user to an online banking system from a malware list on a compromised system, Retefe modifies the webpage of the online banking site and tries to steal confidential login data.
The initial malware infection occurs through a file that is written in JavaScript and is detected by ESET antivirus products as JS / Retefe . The attackers chose the attachment method of e-mail messages as a mechanism for its distribution, disguising it as an invoice, order notification, etc. After launch, it installs several of its components into the system, including the Tor anonymous network service. These malicious components are used to configure a proxy server when working with banking websites.
When a user attempts to access an online banking site, he is secretly redirected to a fake copy of this website. Retefe also adds to the system a fake root digital certificate that is disguised as legitimate. For disguise, fake information is used that the certificate was issued and confirmed by a well-known Comodo certification authority. This technique greatly complicates the detection of malicious activity by the user. It is obvious that this problem has nothing to do with the security of a particular bank.
Malware code can successfully compromise all major web browsers, including Internet Explorer, Mozilla Firefox and Google Chrome. In some cases, Retefe tried to convince the user to install a mobile component that is detected by ESET antivirus products like Android / Spy.Banker.EZ . This mobile component is used to bypass two-factor 2FA authentication. Below are screenshots of this mobile component.
ESET analysts have also analyzed another variant of the malware, which is detected as JS / Retefe.B . This modification uses a rather cumbersome method of accessing the Tor anonymous network. It consists not in using the Tor network directly, but through the Tor2Web service.
Retefe was under the lens of antivirus researchers earlier, when at the beginning of this year the malware was actively used to compromise UK banks. Since then, the authors have added a mobile component to it, and also expanded the list of goals.
Checking the system for infection
Users of online banking services that are listed below are recommended to manually check for the following indicators of compromise by malware, or use the following ESET web page for verification.
One indicator of compromise is the presence of a fake root digital certificate that was allegedly issued by a Comodo certification authority. In this case, the e-mail address of the issuing organization corresponds to the address me@myhost.mydomain.
For the Mozilla Firefox web browser, open the certificate manager .
For other web browsers, the presence of the certificate can be checked using the Microsoft Management Console (MMC).
We observed two such fake certificates, information about which is presented below.
Serial number: 00: A6: 1D: 63: 2C: 58: CE: AD: C2
Valid from: Tuesday, July 05, 2016
Expires: Friday, July 03, 2026
Issuer: me@myhost.mydomain, COMODO Certification Authority
Serial number: 00: 97: 65: C4: BF: E0: AB: 55: 68
Valid from: Monday, February 15, 2016
Expires: Thursday, February 12, 2026
Issuer: me@myhost.mydomain, COMODO Certification Authority
Another indicator of compromise is the presence in the system of a malicious script Proxy Automatic Configuration (PAC) , which points to the next .onion domain.
hxxp: //%onionDomain%/%random%.js? ip =% publicIP%
In this case, the% onionDomain% variable is an onion domain, arbitrarily selected from the configuration file. The variable% random% is a string of eight characters from the alphabet A-Za-z0-9. % publicIP% indicates a public address. An example of such a link is presented below.
hxxp: //e4loi7gufljhzfo4.onion.link/xvsP2YiD.js? ip = 100.10.10.100
Indicator of compromise is also the presence on the device running Android malware Android / Spy.Banker.EZ .
In the event that a Retefe malware infects a system, the following steps must be taken to eliminate this infection.
1. If you used one of the online banking systems that the malware was aimed at compromising, change your password to access the online banking account, and also check for the presence of illegitimate transactions with your bank account.
2. Remove the Proxy Automatic Configuration (PAC) script from the system.
3. Remove the above-mentioned digital certificate from the system.
4. As a proactive protection, use a reliable security tool with the function of ensuring the security of online banking operations.
Below is a list of online banking websites that Retefe aims to compromise.
* .facebook.com
* .bankaustria.at
* .bawag.com
* .bawagpsk.com
* .bekb.ch
* .bkb.ch
* .clientis.ch
* .credit-suisse.com
* .easybank.at
* .eek.ch
* .gmx.at
* .gmx.ch
* .gmx.com
* .gmx.de
* .gmx.net
* .if.com
* .lukb.ch
* .onba.ch
* .paypal.com
* .raiffeisen.at
* .raiffeisen.ch
* .static-ubs.com
* .ubs.com
* .ukb.ch
* .urkb.ch
* .zkb.ch
* abs.ch
* baloise.ch
* barclays.co.uk
* bcf.ch
* bcj.ch
* bcn.ch
* bcv.ch
* bcvs.ch
* blkb.ch
* business.hsbc.co.uk
* cahoot.com
* cash.ch
* cic.ch
* co-operativebank.co.uk
* glkb.ch
* halifax-online.co.uk
* halifax.co.uk
* juliusbaer.com
* lloydsbank.co.uk
* lloydstsb.com
* natwest.com
* nkb.ch
* nwolb.com
* oberbank.at
* owkb.ch
* postfinance.ch
* rbsdigital.com
* sainsburysbank.co.uk
* santander.co.uk
* shkb.ch
* smile.co.uk
* szkb.ch
* tescobank.com
* ulsterbankanytimebanking.co.uk
* valiant.ch
* wir.ch
* zuercherlandbank.ch
accounts.google.com
clientis.ch
cs.directnet.com
e-banking.gkb.ch
eb.akb.ch
ebanking.raiffeisen.ch
hsbc.co.uk
login.live.com
login.yahoo.com
mail.google.com
netbanking.bcge.ch
onlinebusiness.lloydsbank.co.uk
tb.raiffeisendirect.ch
uko.ukking.co.uk
urkb.ch
wwx.banking.co.at
wwx.hsbc.co.uk
wwx.oberbank-banking.at
wwwsec.ebanking.zugerkb.ch
Source: https://habr.com/ru/post/315100/
All Articles