Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Published on May 1, 2015 13:15 UTC by GovCERT.ch (permalink) Last updated on May 14, 2019 13:52 UTC
In July 2014, Trend Micro published a report about a threat called Retefe, an ebanking Trojan that is targeting financial institutions in Switzerland, Austria, Sweden and Japan. In fact, Retefe is already around since November 2013. Back then, MELANI already took appropriate action together with the affected financial institutions and ISPs in Switzerland to mitigate the threat. However, Retefe is still being distributed in recent spam campaigns, targeting Swiss Internet users.
One of the most recent spam campaigns has been observed yesterday, where hackers spammed out emails to Swiss Internet users abusing compromised email accounts of well known email services providers, such as GMX. By using compromised email accounts, spammers and hackers are able to bypass DNSBL-based spam filters.
The spam themes vary. But two years after the first appearance of Retefe, the well-known online shop Zalando still appears to be their favourite brand to abuse, pretending to be an invoice coming from Zalando Schweiz. Fortunately, Zalando did its job and is publishing an SPF (Sender Policy Framework) record in their DNS, demanding that any email using the sender @zalando.ch or @service.zalando.ch needs to come from the Zalando mail servers.
If the receivers mail server is configured correctly and checking the SPF record of the sending domain name, the SPF check for spam mails pretending to come from Zalando Schweiz will fail and the receiving mail server therefore rejects such spam emails at the boarder or scores them appropriately with a high spam score.
The spam emails usually come with a compressed attachment (ZIP), containing either a malicious RTF file with a .cpl file embedded or with an executable (.exe). If the user opens the attachment by executing the malicious .cpl or .exe file, Retefe is dropped to the victim's computer. While in 2014 Retefe was altering the DNS settings of the victims computer to use a rogue DNS server, the recent Retefe campaigns are taking advantage of a malicious web proxy server. To do so, Retefe will change the Proxy-PAC settings of the victim's machine in order to fetch a web proxy configuration from a rogue web server whenever the victim starts Internet Explorer.
The URL, where Retefe fetches the web proxy configuration, varies in each campaign. In the most recent version from yesterday, the proxy configuration is being fetched from swissprox.eu, which is hosted at FDCservers.net in the US and obviously has been setup by the hackers themselves for the exclusive purpose of hosting malicious proxy PACs.
https://swissprox.eu/iutrutviucric.js
What is interesting with this proxy pac file is that the webserver is serving a different proxy configuration, depending on the Geo location of the victim's computer. This means that an infected computer, for example in Switzerland, will receive a different proxy configuration than an infected computer in Sweden. As we mentioned earlier in this blog post, Retefe is currently only targeting financial institutions in Switzerland, Austria, Sweden and Japan. If you try to fetch the proxy pac from a location, which does not match one of these countries, you will get an empty proxy configuration that looks like this:
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 0(2,3){4"5"}',6,6,'FindProxyForURL|function|url|host|return|DIRECT'.split('|'),0,{}))
As seen in the example above, the proxy pac is obfuscated. So it isn't too obvious what it exactly does. However, it's not really complicated to deobfuscate it:
function FindProxyForURL(url,host) { return"DIRECT" }
If the victims computer is located in one of the countries targeted by Retefe, the proxy pac looks different: It contains a target list of financial institutions in the victims country, for which the web traffic should be redirected to a malicious web proxy (currently 11 targets for Sweden and 11 targets for Switzerland). If the victim will use a Retefe infected computer for ebanking, the web browser will connect to a rogue proxy server instead of the ebanking server of the bank. But there is one problem for the hackers: Since all financial institutions in Switzerland are using SSL encryption for their ebanking, the hackers had to find a solution to bypass that. For this purpose, the hackers are installing a rogue Certificate Authority (CA) to the trusted certificate store when infecting a computer:
certutil -addstore -f -user ROOT C:\ProgramData\\cert529619.der
... while cert529619.der is the malicious CA certificate dropped by Retefe. When a computer gets infected with Retefe, Windows will prompt the user with a Security Warning:
The rogue CA certificate pretends to come from VeriSign by using the same OU and CN as the legitimate CA certificate:
The first CA certificate is the rogue one while the second is the legitimate one:
Using this technique, the hackers are able to issue any SSL certificate they like for any website and the victims web browser will accept it since the rogue CA is trusted by the victim's computer. The web browser is not going to display any security warning or similar to the victim. The victim will believe to be connected to the ebanking service of his bank.
To summarize it: It hasn't much changed in the modus operandi of Retefe since 2014. Retefe is still using more or less the same themed spam emails to distribute itself in Switzerland. On the technical side, Refete is still using a rogue CA certificate to avoid SSL security warnings on an infected machine. However, Retefe moved away from altering the victim's computers DNS settings to using a malicious proxy configuration to redirect the victim to a fake ebanking portal.
MELANI/GovCERT.ch closely monitors Retefe and takes appropriate actions together with the financial institutions and the ISPs in Switzerland in order to mitigate the threat as much as possible.
MELANI/GovCERT.ch makes the following recommendation to mitigate the Retefe threat:
If you suspect your computer is infected with Retefe:
PS: When infecting a computer, Retefe fetches a PNG from a remote server using Windows PowerShell (in this case https://www.easycounter.com/counter.php?mvtyiortiyoxirt). This appears to be used for statistical purpose by the hackers. If you visit this URL through a web browser, you will see the number of computers Retefe has infected in this campaign (which is currently 58 on 1st May 2015).
Sample MD5: 089dbefc547cb23ae99d3cc3b0f52f53Sample SHA256: 5a937c60cf4b33c1e0635952813022d6befaece4b9d71b5010016d3f21d9ae35
Back to top
