A new Retefe Malware campaign targeting Middle East banking institutions that targets both Windows and Mac users was recently discovered. The malware campaign added new URL patterns to the Retefe proxy auto-config (PAC) file to hijack network traffic when accessed by an infected host. The URL patterns in the PAC file include the Middle East, US, Norway and Sweden.
Retefe is a banking trojan that is primarily distributed via phishing emails. Retefe uses proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks, like most banking trojans.
- The trojan also installs several components including the Tor network browser, which will be used to create a proxy connection for targeting banking sites.
Retefe is often credited for its method of installing a root certificate in an infected machine to reroute traffic. It may further change local DNS records to redirect a user and use Tor as a proxy to encrypt traffic. Like many others, this banking Trojan was historically seen delivered in malspam campaigns with malicious Word documents attached to the email.
The Trojan makes use of a malicious proxy auto-config (PAC) in lieu of a rogue DNS. Instead of redirecting the whole DNS traffic of the victim’s computer, only web traffic for certain domain names configured in the malicious PAC would get redirected to a SOCKS proxy. The SOCKS proxy then serves a fake e-banking portal to the victim.
Based on the Geolocation of the victim’s IP address, the Proxy PAC URL returns a different proxy configuration. If the victim’s IP address was located in the UK for example, the proxy configuration contained a list of financial institutions in the UK for which the e-banking sessions were redirected. This technique is now modified to target financial institutions in the Middle East for which the e-banking sessions are most likely to be redirected.
For further details, click the download button below!