Another Banking Trojan Adds Support for NSA’s EternalBlue Exploit

Another Banking Trojan Adds Support for NSA’s EternalBlue Exploit

Retefe

A third banking trojan has added support for EternalBlue, an exploit supposedly created by the NSA, leaked online by the Shadow Brokers, and the main driving force behind the WannaCry and NotPetya ransomware outbreaks.

The first banking trojans to do so were Emotet and TrickBot, back in July this year. These two banking trojans used heavy customizations of the EternalBlue exploit to spread to other computers on the same internal network, in the hunt for computers with more sensitive data, or more victims to compromise.

The updates to these two trojans seem to have inspired the creators of the Retefe banking trojan, who have now done the same.

Retefe got EternalBlue module on September 5

According to Proofpoint researchers, starting with September 5, Retefe has been using EternalBlue as part of its infection routine as well.

Its purpose is the same — to allow attackers to escalate an initial infection to other computers on the same network which expose outdated SMBv1 services.

Just like with Emotet and TrickBot, Retefe seems to have modified proof-of-concept EternalBlue exploit code posted on GitHub.

Retefe — proxy hijacking, Tor, and now EternalBlue

Seeing the Retefe group add support for EternalBlue is no surprise. Alongside Qbot, the Retefe gang prefers small-scale attacks compared to the massive shotgun spam approach that other banking trojans like TrickBot or Dridex prefer.

The Retefe gang usually targets customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has been active since 2013 and is also one of the few banking trojans that has a Mac alternative, detected as Dok [12].

The trojan is also unique because it doesn’t use browser hooks to inject fake login pages on top of legitimate sites. Retefe is one of the few banking trojans still active today that relies on modifying the computer’s proxy settings to redirect traffic for certain websites to clones hosted on the attackers’ servers.

Furthermore, most of these servers are stored on the Dark Web, hindering most efforts to track down the trojan’s real authors.

Retefe likes to target Swiss banks

Many believe that the Retefe group likes to focus on Swiss banks because of the potential to make larger sums of money because these banks usually cater to high-end customers and large businesses.

Because of its increased activity in Switzerland, the local CERT team has been keeping a very close eye on Retefe variants, and currently, its Retefe report is one of the most detailed available to researchers.

You can read an in-depth explanation of the Retefe infection chain for the most recent version — the one that uses EternalBlue — in this Proofpoint report here.

Leave a Reply