ESET: Internet users can see if they are safe from Retefe Trojan, which has Tesco Bank's target list and dozens of other banks and services.
The malware that attacked Tesco Bank has several other banks and providers of related services on the Candidate List, according to ESET researchers' findings. ESET's Threat Intelligence has unveiled the Trojan Retefe, which has been operating in its current form since February of 2016, and is capable of redirecting its victims to "banked" banking pages to extract login information. In some cases, it has also attempted to cheat users to install a mobile malware component (crawled by ESET as Android/Spy.Banker column.EZ), which then usesto bypass the dual certification check.
The malicious code, detected by ESET as JS/Retefe, is usually transmitted as an email attachment purporting to be an order, invoice or similar archive. Μόλις εκτελεστεί, εγκαθιστά διάφορα στοιχεία συμπεριλαμβανομένης μιας υπηρεσίας ανωνυμοποίησης Tor και τα χρησιμοποιεί για να δημιουργήσει ένα proxy για τα τραπεζικά sites που βρίσκονται στο στόχαστρο.
Retefe also adds a fake root certificate that looks like it was issued and certified by the well-known certification authority, Comodo. This makes it very difficult for the user to detect the fraud.
Retefe is being watched by security researchers from the past. More recently, he entered the target when he attacked bank customers in the UK at the beginning of the year. Since then, the mobile item has been added and the list of goals has been expanded.
Among the services targeted by Trojan Retefe are major banks in the United Kingdom, Switzerland (the country hardest hit, according to the cloud system ESET LiveGrid) and Austria, as well as popular services such as Facebook and PayPal. The full list is below.
"The possible connection of the big attack on Tesco Banks, where thousands have lost their capital, with the bank trojan Retefe is worrying. We have, of course, noticed all the companies that are at its target Retefe and we have offered our help in limiting the threat. We also advise users to take the necessary steps to protect them " comments ESET security evangelist Peter Stančík.
ESET investigators have identified evidence of a breach of malware Retefe and urge those who use the following services to check if their computers are infected. They can do it themselves or use its website Retefe Checker from ESET, where they can download a tool that automatically checks the computer for the related clues.
Users can control their computers for the Retefe track by searching for the following indications of violation:
1. Presence of one of the malicious root certificates he claims to have from the Certification Authority COMODO, with the address Email the publisher to be me@myhost.mydomain:
For Mozilla Firefox, visit it certificate Manager:
For the other browsers, check for root certificates installed on the system via the Microsoft Management Console (MMC):
So far, two certificates have been identified with the following details:
– Σειριακός Αριθμός: 00:A6:1D:63:2C:58:CE:AD:C2
- Valid from: Tuesday, July 05, 2016
- Expires: Friday, July 03, 2026
- Publisher: me@myhost.mydomain, COMODO Certification Authority
and
– Σειριακός Αριθμός: 00:97:65:C4:BF:E0:AB:55:68
- Valid from: Monday, February 15, 2016
- Expires: Thursday, February 12, 2026
- Publisher: me@myhost.mydomain, COMODO Certification Authority
2. Presence malicious script Proxy Automatic Configuration (PAC) που leads into a domain .onion
% onionDomain% /% random% .js, where
% OnionDomain% is an onion domain randomly selected from the configuration file
-% random% is a series of 8 characters of the A-Za-z0-9 alphabet
% PublicIP% is the user's public IP address
For example: http: //e4law7gufljhzfo4.onion.link/xvsP2YiD.js?ip= 100.10.10.100
3. Presence of Android / Spy.Banker.EZ at device Android
(can be checked with ESET Mobile Security)
Users who detect any of the abovementioned indications of violation should take the following measures, in accordance with the advice of ESET security experts:
If you use any of the services listed below, change the login details and check for suspicious activity (eg for bizarre moves in online banking).
1. Remove This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. Proxy Automatic Configuration script (PAC):
2. Remove this certificate.
For preventive protection, use a reliable security solution with special protection for banking and payment services. Also, do not forget to protect your Android device.
Learn more about Trojan Retefe and its connection to cyber-attack in Tesco Bank in a special technical article on the ESET official blog, WeLiveSecurity.com.
