Based on our telemetry, customers (mainly in the region of Switzerland and Germany) are being targeted by a Retefe banking trojan campaign which uses both Windows and macOS-based attachments. Its massive spam run started earlier this week and peaked yesterday afternoon (Helsinki time).
TrendMicro did a nice writeup on this threat earlier this week. The new campaign, which just started yesterday, made some updates on the malware payload.
Instead of having the installation strings and Onion proxy domain stored in the binary as a plain text, the authors made an effort to hide the interesting strings by XORring them with 0xFF.
The spam message looks like it’s coming from “Mein A1” info@ from different .ch TLDs with subject lines such as “Ihre Rechnung #123456-AB123456 vom 13/07/2017”. The mail itself is (signed) by A1 Telekom Austria AG. The mail contains two attachments: a zipped Mach-O application, and a .xlsx or .docx document file. The first attachment targets macOS systems, whereas the latter document file installs the malware on Windows systems.
The mail itself doesn’t give any social engineering cues to the victim as to which file to open; moreover, having an Austrian-based telecom company sending Swiss International Airlines related documents is probably more confusing than intriguing.
The text explains that double-clicking opens a larger view of the image – but actually, it runs the malware.
Though the malware is mainly targeting Switzerland with the .ch TLD domain, we found a target configuration also for Austrian banks.
List of Austrian-based targets:
‘*bankaustria.at’, ‘*.bawagpsk.com’, ‘*raiffeisen.at’, ‘*.bawag.com’, ‘www.banking.co.at’, ‘*oberbank.at’, ‘www.oberbank-banking.at’, ‘*.easybank.at’
List of Swiss-based targets:
‘*.postfinance.ch’, ‘cs.directnet.com’, ‘*akb.ch’, ‘*ubs.com’, ‘tb.raiffeisendirect.ch’, ‘*bkb.ch’, ‘*lukb.ch’, ‘*zkb.ch’, ‘*onba.ch’, ‘*gkb.ch’, ‘*bekb.ch’, ‘*zugerkb.ch’, ‘*bcge.ch’, ‘*raiffeisen.ch’, ‘*credit-suisse.com’, ‘*.clientis.ch’, ‘clientis.ch’, ‘*bcvs.ch’, ‘*.cic.ch’, ‘cic.ch’, ‘*baloise.ch’, ‘ukb.ch’, ‘*.ukb.ch’, ‘urkb.ch’, ‘*.urkb.ch’, ‘*eek.ch’, ‘*szkb.ch’, ‘*shkb.ch’, ‘*glkb.ch’, ‘*nkb.ch’, ‘*owkb.ch’, ‘*cash.ch’, ‘*bcf.ch’, ‘ebanking.raiffeisen.ch’, ‘*bcv.ch’, ‘*juliusbaer.com’, ‘*abs.ch’, ‘*bcn.ch’, ‘*blkb.ch’, ‘*bcj.ch’, ‘*zuercherlandbank.ch’, ‘*valiant.ch’, ‘*wir.ch’, ‘*bankthalwil.ch’, ‘*piguetgalland.ch’, ‘*triba.ch’, ‘*inlinea.ch’, ‘*bernerlandbank.ch’, ‘*bancasempione.ch’, ‘*bsibank.com’, ‘*corneronline.ch’, ‘*vermoegenszentrum.ch’, ‘*gobanking.ch’, ‘*slbucheggberg.ch’, ‘*slfrutigen.ch’, ‘*hypobank.ch’, ‘*regiobank.ch’, ‘*rbm.ch’, ‘*hbl.ch’, ‘*ersparniskasse.ch’, ‘*ekr.ch’, ‘*sparkasse-dielsdorf.ch’, ‘*eki.ch’, ‘*bankgantrisch.ch’, ‘*bbobank.ch’, ‘*alpharheintalbank.ch’, ‘*aekbank.ch’, ‘*acrevis.ch’, ‘*credinvest.ch’, ‘*bancazarattini.ch’, ‘*appkb.ch’, ‘*arabbank.ch’, ‘*apbank.ch’, ‘*notenstein-laroche.ch’, ‘*bankbiz.ch’, ‘*bankleerau.ch’, ‘*btv3banken.ch’, ‘*dcbank.ch’, ‘*bordier.com’, ‘*banquethaler.com’, ‘*bankzimmerberg.ch’, ‘*bbva.ch’, ‘*bankhaus-jungholz.ch’, ‘*sparhafen.ch’, ‘*banquecramer.ch’, ‘*banqueduleman.ch’, ‘*bcpconnect.com’, ‘*bil.com’, ‘*vontobel.com’, ‘*pbgate.net’, ‘*bnpparibas.com’, ‘*ceanet.ch’, ‘*ce-riviera.ch’, ‘*cedc.ch’, ‘*cmvsa.ch’, ‘*ekaffoltern.ch’, ‘*glarner-regionalbank.ch’, ‘*cen.ch’, ‘*cbhbank.com’, ‘*coutts.com’, ‘*cimbanque.net’, ‘*cembra.ch’, ‘*commerzbank.com’, ‘*dominickco.ch’, ‘*efginternational.com’, ‘*exane.com’, ‘*falconpb.com’, ‘*gemeinschaftsbank.ch’, ‘*frankfurter-bankgesellschaft.com’, ‘*globalance-bank.com’, ‘*ca-financements.ch’, ‘*hsbcprivatebank.com’, ‘*leihkasse-stammheim.ch’, ‘*incorebank.ch’, ‘*lienhardt.ch’, ‘*mmwarburg.ch’, ‘*maerki-baumann.ch’, ‘*mirabaud.com’, ‘*nordea.ch’, ‘*pbihag.ch’, ‘*rahnbodmer.ch’, ‘*mybancaria.ch’, ‘*reyl.com’, ‘*saanenbank.ch’, ‘*sebgroup.com’, ‘*slguerbetal.ch’, ‘*bankslm.ch’, ‘*neuehelvetischebank.ch’, ‘*slr.ch’, ‘*slwynigen.ch’, ‘*sparkasse.ch’, ‘*umtb.ch’, ‘*trafina.ch’, ‘*ubp.com’
Though the Retefe banking trojan has previously operated in other European countries, such as Sweden and the UK, countries other than Switzerland and Austria were not seen in this campaign.
As a note of historical interest, here’s a list of UK-based banks that were targeted in June 2016:
‘*barclays.co.uk’, ‘*natwest.com’, ‘*nwolb.com’, ‘hsbc.co.uk’, ‘www.hsbc.co.uk’,’*business.hsbc.co.uk’, ‘*santander.co.uk’, ‘*rbsdigital.com’, ‘onlinebusiness.lloydsbank.co.uk’,’*cahoot.com’,’*smile.co.uk’, ‘*co-operativebank.co.uk’, ‘if.com’, ‘*.if.com’, ‘*ulsterbankanytimebanking.co.uk’,’*sainsburysbank.co.uk’, ‘*tescobank.com’
IOCs:
- https: //www[.]dropbox[.]com/s/azkkyzzo41tk84i/FzF7sEBlz128859.exe?dl=1
https: //www[.]dropbox[.]com/s/96q0qkrusk5gkp6/HwJoS9VDWh570254.exe?dl=1 - 6aaoqcl2leiptpvn.onion
dwylpqieagmgtyjl.onion
dzi752gjsjbsm6pl.onion
aztqlm4tslmpgkau.onion
oq47ekl6jzybts33.onion - 2cac780f6de5a8acc3506586c06b1218c33b21b0
9067894655fecc5e22204488672aa08187f52456
55666326365bcdc57d2e2ce03e537409281140db
8a55ad699af46e8dabc8ff986c249ba19dd57a9f
1072112bd23ef35421e49b7927fcc6b5e3703660
304011d12d7c2fb6640afffd6e751efeb822b1f8
b4dddd358d5ca61e511a7f0a6ab2d62cfd7acaf3
272b564ee9dee4e5748b11e2570ba99be403be52
6cf4e22806d88a97a8a3b02e7c6d9ae480f253e6
d26a3b093fcc12356fedf03ef5b4341435148881
d4ec8873bef322358b23c4acda15dd9660d4164d
2e3dfc1b5e25e835e0a0d0bb6cdc761c84df49e2
637889f399620c8558d08619a98f30c55e64eb66
9d9e4007e9df7cd8dabc57d8492797b4d445d2c8
a7cab82e0cae7b62c3e04664c30108cebc08c3c9
Tagged: Malware, Spam, Th3 Cyb3r, Trojan, XOR
Article Link: https://labsblog.f-secure.com/2017/07/14/retefe-banking-trojan-targets-both-windows-and-mac-users/