ESET: free malware protection tool attacking banks

ESET: Its users μπορούν να διαπιστώσουν αν είναι ασφαλείς από το Retefe Trojan που έχει στη λίστα του ως στόχους την Tesco Bank και δεκάδες άλλες τράπεζες και υπηρεσίες.

The malware that attacked Tesco Bank has several other banks and related service providers on its list of potential targets, according to ESET researchers' findings. ESET's Threat Intelligence services discovered Trojan Retefe, which has been active in its current form since at least February 2016 and is capable of redirecting its victims to "spoilt" banking pages to extract login information. In some cases, it has also tried to trick users into installing a mobile component of it software (detected by ESET as Android/Spy.Banker column.EZ), which is then used to bypass double authentication.trojan eset

Ο ς κώδικας, που ανιχνεύεται από την ESET ως JS/Retefe, is usually transmitted as an attachment in an email it is supposed to be , invoice or some related file. Once executed, it installs various components including a Tor anonymization service and uses them to create a proxy for the targeted banking sites.

Retefe also adds a fake root certificate that looks like it was issued and certified by the well-known certification authority, Comodo. This makes it very difficult for the user to detect the fraud.

Retefe is being watched by security researchers from the past. More recently, he entered the target when he attacked bank customers in the UK at the beginning of the year. Since then, the mobile item has been added and the list of goals has been expanded.

Among the services targeted by Trojan Retefe are large banks in the United Kingdom, Switzerland (the country that has suffered the biggest blow, according to the ESET LiveGrid cloud system) and Austria, as well as popular services such as Facebook and PayPal . The full list is below.

"The possible connection of the big attack on Tesco Banks, where thousands have lost their capital, with the bank trojan Retefe is worrying. We have, of course, noticed all the companies that are at its target Retefe and we have offered our help in limiting the threat. We also advise users to take the necessary steps to protect them " comments ESET security evangelist Peter Stančík.

Οι ερευνητές της ESET έχουν προσδιορίσει τις ενδείξεις παραβίασης για το κακόβουλο λογισμικό Retefe και παροτρύνουν όσους χρησιμοποιούν τις παρακάτω υπηρεσίες να ελέγξουν αν οι υπολογιστές τους έχουν μολυνθεί. Μπορούν να το κάνουν μόνοι τους ή να χρησιμοποιήσουν την ιστο of Retefe Checker from ESET, where they can download a tool that automatically checks the computer for the related clues.

Users can control their computers for the Retefe track by searching for the following indications of violation:

1.       Presence of one of the malicious root certificates he claims to have from the Certification Authority COMODO, with the address Email the publisher to be me@myhost.mydomain:

For Mozilla Firefox, visit certificate Manager:

Για τους υπόλοιπους , ελέγξτε για root certificates installed on the system  via the Microsoft Management Console (MMC):

So far, two certificates have been identified with the following details:

– Σειριακός Αριθμός: 00:A6:1D:63:2C:58:CE:AD:C2
- Valid from: Tuesday, July 05, 2016
- Expires: Friday, July 03, 2026
- Publisher: me@myhost.mydomain, COMODO Certification Authority


– Σειριακός Αριθμός: 00:97:65:C4:BF:E0:AB:55:68
- Valid from: Monday, February 15, 2016
- Expires: Thursday, February 12, 2026
- Publisher: me@myhost.mydomain, COMODO Certification Authority

2.       Presence malicious script Proxy Automatic Configuration (PAC) που leads into a domain .onion

% onionDomain% /% random% .js, where

% OnionDomain% is an onion domain randomly selected from the configuration file
-% random% is a series of 8 characters of the A-Za-z0-9 alphabet
% PublicIP% is the user's public IP address

For example: http: //

3.       Presence of Android / Spy.Banker.EZ at device Android
(can be checked with ESET Mobile Security)

Users who detect any of the abovementioned indications of violation should take the following measures, in accordance with the advice of ESET security experts:

If you use any of the services listed below, change the login details and check for suspicious activity (eg for bizarre moves in online banking).

1.       Remove This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. Proxy Automatic Configuration script (PAC):

2.       Remove this certificate.

For preventive protection, use a reliable security solution with special protection for banking and payment services. Also, do not forget to protect your Android device.

Learn more about Trojan Retefe and its connection to cyber-attack in Tesco Bank in a special technical article on the ESET official blog, The Best Technology Site in Greecefgns

get the best stories straight into your inbox!

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).