ESET: free malware protection tool attacking banks

ESET: Internet users can see if they are safe from Retefe Trojan, which has Tesco Bank's target list and dozens of other banks and services.

The malware that attacked Tesco Bank has several other banks and providers of related services on the Candidate List, according to ESET researchers' findings. ESET's Threat Intelligence has unveiled the Trojan Retefe, which has been operating in its current form since February of 2016, and is capable of redirecting its victims to "banked" banking pages to extract login information. In some cases, it has also attempted to cheat users to install a mobile malware component (crawled by ESET as Android/Vomit.Banker column.EZ), which is then used to bypass double authentication.trojan eset

The malicious code, detected by ESET as JS/Retefe, is usually transmitted as an attachment to an email that is supposed to be an order, invoice or related file. Once executed, it installs various items including a Tor anonymous service and uses them to create a proxy for target banking sites.

Retefe also adds a fake root certificate that looks like it was issued and certified by the well-known certification authority, Comodo. This makes it very difficult for the user to detect the fraud.

Retefe is being watched by security researchers from the past. More recently, he entered the target when he attacked bank customers in the UK at the beginning of the year. Since then, the mobile item has been added and the list of goals has been expanded.

Among the services targeted by Trojan Retefe are large banks in the United Kingdom, Switzerland (the country that has suffered the biggest blow, according to the ESET LiveGrid cloud system) and Austria, as well as popular services such as Facebook and PayPal . The full list is below.

"The possible connection of the big attack on Tesco Banking, where thousands have lost their capital, with the bank trojan Retefe is worrying. We have, of course, noticed all the companies that are at its target Retefe and we have offered our help in limiting the threat. We also advise users to take the necessary steps to protect them " comments ESET security evangelist Peter Stančík.

ESET researchers have identified breaches of Retefe malware and urge those using the following services to check if their computers are infected. They can do it on their own or use their website Retefe Checker from ESET, where they can download a tool that automatically checks the computer for the related clues.

Users can control their computers for the Retefe track by searching for the following indications of violation:

1.       Presence of one of the malicious root certificates he claims to have from the Certification Authority COMODO, with the address emails the publisher to be me@myhost.mydomain:

For Mozilla Firefox, visit certificate Manager:

For the other browsers, check for root certificates installed on the system  via the Microsoft Management Console (MMC):

So far, two certificates have been identified with the following details:

– Σειριακός Αριθμός: 00:A6:1D:63:2C:58:CE:AD:C2
- Valid from: Tuesday, July 05, 2016
- Expires: Friday, July 03, 2026
- Publisher: me@myhost.mydomain, COMODO Certification Authority


– Σειριακός Αριθμός: 00:97:65:C4:BF:E0:AB:55:68
- Valid from: Monday, February 15, 2016
- Expires: Thursday, February 12, 2026
- Publisher: me@myhost.mydomain, COMODO Certification Authority

2.       Presence malicious script Proxy Automatic Configuration (PAC) που leads into a domain .onion

% onionDomain% /% random% .js, where

% OnionDomain% is an onion domain randomly selected from the configuration file
-% random% is a series of 8 characters of the A-Za-z0-9 alphabet
% PublicIP% is the user's public IP address

For example: http: //

3.       Presence of Android / Spy.Banker.EZ at device Android
(can be checked with ESET Mobile Security)

Users who detect any of the abovementioned indications of violation should take the following measures, in accordance with the advice of ESET security experts:

If you use any of the services listed below, change the login details and check for suspicious activity (eg for bizarre moves in online banking).

1.       Remove This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. Proxy Automatic Configuration script (PAC):

2.       Remove this certificate.

For preventive protection, use a reliable security solution with special protection for banking and payment services. Also, do not forget to protect your Android device.

Learn more about Trojan Retefe and its connection to cyber-attack in Tesco Bank in a special technical article on the ESET official blog,

Read them Technology News from all over the world, with the validity of

Follow us on Google News at Google news