Advanced Retefe Banking Malware Attack on Windows and Mac Users via Weaponized Word Documents  - RePUz1557151087 - Retefe Malware Attack on Windows & Mac Users via Word Documents

Researchers discovered a new wave of sophisticated banking malware called Retefe that targeting and Mac users financial data by routing the online banking traffic via proxy.

Retefe malware initially appeared in 2018, since then it targets victims who reside in various countries including Swiss and German especially in April .

Unlike some of the other malware that uses Tor for encryption traffic, Retelfe Malware using a proxy called Stunnel for C2 server communication that adds TLS encryption functionality to the infected system without any changes in the programs’ code.

Malware authors abusing an known as ” “Convert PDF to Plus 1.0” and add malicious python scripts that packaged as an executable script and archived with the help of UPX packing engine.

Researchers first discovered abused shareware application in a public malware repository that hosted in compromised domain http://lettercreate.com/unipdf/convert-pdf-to-word-plus[.]exe

Retefe malware Infection Process

Initially, once the victims execute the file, the executable has been unpacked, unpackaged, and decompiled.

It writes two different files (convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe ) in the victim’s machines into the %TEMP% directory and executes them.

Researchers believe that convert-pdf-to-word-plus.exe file is a legitimate installer for the “Convert PDF to Word Plus” application and is executed as a decoy.

- rbf2 - Retefe Malware Attack on Windows & Mac Users via Word Documents

In this case, Convert-pdf-to-word-plus_driver.exe was identified as a malicious loader that drops and extract the Zip file and the stunnel from its package then decrypts and executes the main Retefe JavaScript code.

Researchers also observed that the Retefe malware being delivered through Smoke Loader via Object Linking and Embedding (OLE) package

According to Proof point research, t is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes. Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than stunnel, which would appear as any other outbound SSL connection.

Previous Retefe malware targets the Windows hosts but the current campaigns targeting macOS using developer-signed versions of fake Adobe Installers in order to deliver their payloads.

“By using signed binaries, actors attempt to bypass the macOS internal Gatekeeper security application, which checks if applications are signed by a valid developer certificate before running. “

Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking Trojans.

Liveware, Malware authors are developing malware with a very innovative technique to infect the target and steal various personal and financial information.

You can also Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps – Download Free-Ebook Here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

WannaCry Hero Marcus Hutchins(MalwareTech) Pleads Guilty to Developing a Banking Malware

Hackers Deliver Banking Malware Through Password Protected ZIP File

Organized Cybercrime – Hacker Groups Work Together To Distribute Banking Malware Globally

Fileless Banking Malware Steals User Credentials, Outlook Contacts, and Installs Hacking Tool





Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here