New-Retefe-Malware-Campaign

Severity: HIGH

RETEFE MALWARE CAMPAIGN TARGETING THE MIDDLE EAST

Reference: CTM-ADV-0420 Date: 29 April 2020 Category: Malware

THREAT TARGETS: POSSIBLE IMPACTS: TARGET AUDIENCE FOR CIRCULATION: ● Financial Intuitions ● Compromise of financial credentials ● Administrators of internet facing ● Banking Customers & confidential data infrastructure services ● Compromise of user data ● IT security team, Management & ● Financial, Reputational loss Staff ● Banking Customers

A new Retefe Malware campaign targeting Middle East banking institutions that targets both Windows and Mac users was recently discovered. The malware campaign added new URL patterns to the Retefe proxy auto-config (PAC) file to hijack network traffic when accessed by an infected host. The URL patterns in the PAC file include the Middle East, US, Norway and Sweden.

Retefe is a banking trojan that is primarily distributed via phishing emails. Retefe uses proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks, like most banking trojans.

● The phishing emails that distribute Retefe include malicious JavaScript code which is designed to install a rogue root certificate and change the OS's proxy auto-config settings. ● The trojan also installs several components including the Tor network browser, which will be used to create a proxy connection for targeting banking sites.

Retefe is often credited for its method of installing a root certificate in an infected machine to reroute traffic. It may further change local DNS records to redirect a user and use Tor as a proxy to encrypt traffic. Like many others, this banking Trojan was historically seen delivered in malspam campaigns with malicious Word documents attached to the email.

The Trojan makes use of a malicious proxy auto-config (PAC) in lieu of a rogue DNS. Instead of redirecting the whole DNS traffic of the victim’s computer, only web traffic for certain domain names configured in the malicious PAC would get redirected to a SOCKS proxy. The SOCKS proxy then serves a fake e-banking portal to the victim.

Severity: HIGH

Based on the Geolocation of the victim’s IP address, the Proxy PAC URL returns a different proxy configuration. If the victim’s IP address was located in the UK for example, the proxy configuration contained a list of financial institutions in the UK for which the e-banking sessions were redirected. This technique is now modified to target financial institutions in the Middle East for which the e-banking sessions are most likely to be redirected.

Recommendations: ● Ensure that antivirus programs and their signatures are up to date. ● Be careful when adding CA certificates to the Windows trusted certificate store. ● Do not open any email attachments from suspicious or unknown senders. ● Do not install any 3rd party apps on your mobile phone, even when you are requested to do so. ● Always use the official App Store (Apple App Store / Google Play Store) to download apps. ● Block the download of archives (such as ZIP or RAR) that contain JavaScript code on your web gateway (Web-Proxy). ● Evaluate the SPF record for domain names that intend to send emails to your users. Reject emails whose sender IP address does not match the sending domains SPF record. ● Implement an SPF record for your own domain names to prevent miscreants from spoofing emails pretending to come from your domain (outbound mail).

Severity: HIGH

● Use DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for in-bound spam filtering (inbound mail). ● Sign outgoing emails from your network to the internet with DKIM and DMARC

To ensure a machine has not been infected with Retefe: ● Check the proxy PAC configuration of your web browser (in Internet Explorer: Internet Options -> Connections -> LAN settings) ● Check the DNS configuration of your computer (Ethernet Properties -> Internet Protocol Version 4 -> Properties) ● Check your trusted certificate store (run -> certmgr.msc -> Trusted Root Certification Authorities -> Certificates)

Recently identified Indicators of Compromise (IOCs): b87126def6a819ea601ece1ab02447f3 64348d01be145a8c7489d37532bedacd ecc61634964a48947a3d69ff6cc70d48 e1ee4bc1011084d38f0f6b96464cf9db 257705910fc9b56d9771b8b91ef58820 9c2d8923d503112151e7b248bf505a45 0a825a3d2b195fe4af6b600800adc447 IOCs reference source: VirusTotal

References: https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe https://threatpost.com/retefe-banking-trojan-tor/144336/ https://medium.com/cyber-journal/retefe-trojan-evolves-to-use-stunnel-encrypted-tunneling-mechanism-for-secure-communication- 870e488c3d0c

Disclaimer The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness, and completeness. Consequently, under NO condition shall CTM360®, its related partners, directors, principals, agents or employees be liable for any direct, indirect, accidental, special, exemplary, punitive, consequential or other damages or claims whatsoever including, but not limited to: loss of data, loss in profits/business, network disruption…etc., arising out of or in connection with this advisory.

For more information: Email: [email protected] Tel: (+973) 77 360 360