Contact Contact Us

Retefe Banking Trojan Resurfaces with New Features

A new variant of the Retefe banking trojan has been spotted in recent campaigns targeting online banking users in Switzerland and Germany. The upgraded malware is delivered via malspam containing a zipped JavaScript attachment. Opening the attachment activates a Python script to download a decoy application called "Convert PDF to Word Plus 1.0" and the loader for Retefe. Besides installing Retefe, the loader also extracts the 7-Zip file compression software and an open source tool called STunnel to maintain persistence in the compromised host. In some campaigns, a Word attachment containing malicious Object Linking and Embedding (OLE) package is used to deliver the Smoke Loader for installing Retefe. Unlike most banking trojans, which use web injections for man-in-the-browser attacks, Retefe uses proxies to redirect victims to fake bank pages for credential theft.

[1] 2019: The Return of Retefe

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883