- The Retefe banking Trojan has returned, targeting German and Swiss victims again.
- The malicious software is propagated through an abused shareware document converter.
- On the macOS, the crooks are deploying a fake Adobe Cloud installer, signed by the developer.
Following a year of inactivity, the Retefe banking Trojan has been noticed in the wild again, and the new samples are refreshed and upgraded. The campaigns that are based on the new Retefe are targeting Swiss and German users who are running either Windows or macOS. This indicates that the hackers behind these campaigns are after hefty bank accounts and not just random people. A Proofpoint analysis of the most recent samples that were provided to them by malware researcher Jaromir Horejsi has unveiled the following key changes:
- Retefe is now using the stunnel proxy instead of Tor for its communication with the C&C server.
- The “sLoad” intermediate loader was replaced by “Smoke Loader” which is better at avoiding detection.
- The use of a shareware application named “Convert PDF to Word Plus 1.0”
The researchers have noticed an alternative path of infection as well, involving the distribution of Smoke Loader which downloads Retefe after a couple of hours. The researchers estimate that the use of stunnel instead of Tor is done on the basis of avoiding detection. Tor allows the possibility of snooping on the hops between the nodes, so a victim on an enterprise environment could potentially detect and stop the communication.
As for the macOS victims, Retefe reaches them mainly through fake Adobe Cloud product installers. The Gatekeeper security application is tricked by the fact that these malicious installers are using signed binaries by the actual developer. Those running macOS Mojave are safer thanks to additional integrity checks that are in place even for signed applications. For more details on how to handle controversial apps on macOS, check out Apple’s instructions page. For now, avoid “Convert PDF to Word Plus” and be careful with Adobe Cloud installers.