Once EternalBlue was released into the wild by the Shadowbrokers it was predicted that its effects would be far-reaching. Time has proven those predictions correct with many hacking groups around the global adding yet another tool in spreading malicious payload. In this instance the creators of the banking Trojan Retefe have leveraged EternalBlue in order to spread across computers via unpatched and outdated SMB servers.
Earlier this year Emotet and TrickBot were discovered by security researchers sporting highly customised version of EternalBlue. This was at a period where the use of worms to spread malicious payloads across networks was declining with some thinking the malware variant to be dying a slow death. Upon the emergence of EternalBlue new life was seemed to be breathed into something that was thought to be a relic of the recent past. Other than seeing worms become fashionable once more, how banking Trojans were used and operated also changed. In the past those deploying such Trojans would like them to remain undetected for as long as possible, now it seemed they wanted to infect as many computers as possible thus gaining a vast amount of credentials in a smaller space of time. This would have been the trade-off for being easier to detect one can assume.
Historically Retefe relies on a targeted attack, attacking banking institutions in Austria, Sweden, Switzerland and Japan, and occasionally targeting banking sites in the United Kingdom. Unlike Dridex and other banking Trojans that rely on webinjects to hijack online banking sessions, Retefe operates by routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network. To further exacerbate matters with most of the proxy servers existing in the Dark Web tracking down the malware authors proves to be extremely difficult.
In recent campaigns, the malware has been distributed via email campaigns containing Microsoft Office documents designed to target German language speakers. The attachments contain embedded Package Shell Objects, or OLE Objects, that are typically Windows Shortcut “.lnk” files. The attachments also contain an image and text encouraging the user to click on the shortcuts to run them. Some of the recent campaigns have also featured malicious macros instead of Package Shell Objects, illustrating the group’s diverse skill set. Once the user opens the shortcut and accepts the security warning the Powershell command downloads an executable payload which has been executable Zip archives.
Researchers at Proofpoint observed that Retefe had been modified to include a “pseb” parameter. This parameter contains the configuration implements for the EternalBlue exploit, borrowing most of its code from a publicly available proof-of-concept posted on GitHub. It also contained functionality to log the installation and victim configuration details, uploading them to an FTP server. This was discovered on September 5. By September 20 the “pseb:” section had been replaced with a new “pslog:” section that contained only the logging functions.
Proof point concluded that since 2013 the group has been refining and modifying their attack vectors and while only targeting Swiss banks, for instance, with potential high-profile targets the seriousness should not be underestimated. Swiss CERT authorities are also well aware of the dangers posed by Retefe, also referred to by the as Operation Emmental, and in their research have managed to determine that the Retefe is not big compared to other banking Trojans. All in all, this usually consists out of 100 – 300 infected computers, while Retefe redirects between 10 and 90 e-banking sessions every day. Although not massive, Retefe is able to generate enough income for its authors. It is probably due to the small scale and targeted attack method that has helped the group remain active for four years.
Not even Mac users are safe
Retefe also has another unique feature in that the group also created a version that runs on Mac operating systems. Called Dok, or OSX_DOK, mainly due to the malicious payload called “Dokument” keeping in line with targeting banking institutions within German-speaking countries like Switzerland and Austria. Using the same method as Retefe, in that the infection begins with a spam email campaign containing a file attachment named Dokument.zip, which unzips to an app named Truesteer.AppStore. When executed on the user's PC, delete the original, and show an error message informing the user the document couldn't be opened.
At this point, the installation is not complete and in order to install successfully the malware add a new login item to the user's Mac named AppStore. The purpose of this loginItem is to make sure the installation process continues after the user reboots his Mac. Then a nag screen is displayed urging the user to install a security update which is intended for the sole purpose of obtaining the user's admin password, which the malware will use later to execute various commands without the user's knowledge similar to how Android malware has used nag screens previously. Once Dok obtains a victim's admin password, it will use it to install the Brew package manager, and then install the Tor client and the Socat networking utility.
Once the malware has successfully installed and gained control of the user's system it then downloads a PAC (Proxy AutoConfiguration) file and uses it to relay all the user's traffic through a proxy. At first, the proxy isn't immediately visible, as all traffic is sent to a localhost URL. Like with the Retefe version the malware sets up a local server and directs that localhost URL to a Dark Web link. In the first Dok version researchers spotted, this Dark Web URL was located at paoyu7gub72lykuk.onion. It finally installs a new root certificate enabling the malware to perform a man in the middle attacks.
Given the complex nature of both Retefe and Dok, one can see how the group has been active to 2013. While utilizing known methods and tools used by other hacker groups Retefe creators are able to continually refine how it operates, as well as including proxy servers on the Dark Net researchers and authorities have their work cut out for them.