ESET: Internet users can see if they are safe from Retefe Trojan, which has Tesco Bank's target list and dozens of other banks and services.
The malware that attacked Tesco Bank has several other banks and related service providers on its list of potential targets, according to ESET researchers' findings. ESET's Threat Intelligence services discovered the Retefe Trojan, which has been active in its current form since at least February 2016 and is capable of redirecting its victims to "spoilt" banking pages to extract information connectionς. Σε ορισμένες περιπτώσεις, έχει επίσης προσπαθήσει να εξαπατήσει τους χρήστες να εγκαταστήσουν ένα mobile στοιχείο του malicioussoftware (detected by ESET as Android/Spy.Banker column.EZ), which is then used to bypass double authentication.
The malicious code, detected by ESET as JS/Retefe, is usually transmitted as an attachment to an email that is supposed to be an order, invoice or related file. Once executed, it installs various items including a Tor anonymous service and uses them to create a proxy for target banking sites.
Retefe also adds a fake certificate root which appears to have been issued and certified by the well-known certification authority, Comodo. This makes it very difficult for the user to detect fraud.
Retefe has been monitored by security researchers for a long time. Most recently, he came under fire when he attacked bank customers on United Kingdom at the beginning of the year. Since then the mobile component has been added and the list of targets has been expanded.
Among the services targeted by Trojan Retefe are large banks in the United Kingdom, Switzerland (the country that has suffered the biggest blow, according to the ESET LiveGrid cloud system) and Austria, as well as popular services such as Facebook and PayPal . The full list is below.
"The possible connection of the big attack on Tesco Banks, where thousands have lost their capital, with the bank trojan Retefe is worrying. We have, of course, noticed all the companies that are at its target Retefe and we have offered our help in limiting the threat. We also advise users to take the necessary steps to protect them " comments ESET security evangelist Peter Stančík.
ESET researchers have identified breaches of Retefe malware and urge those using the following services to check if their computers are infected. They can do it on their own or use their website Retefe Checker from ESET, where they can download a tool that automatically checks the computer for the related clues.
Users can control their computers for the Retefe track by searching for the following indications of violation:
1. Presence of one of the malicious root certificates he claims to have from the Certification Authority COMODO, with the address Email the publisher to be me@myhost.mydomain:
For Mozilla Firefox, visit certificate Manager:
For the other browsers, check for root certificates installed on the system via the Microsoft Management Console (MMC):
So far, two certificates have been identified with the following details:
– Σειριακός Αριθμός: 00:A6:1D:63:2C:58:CE:AD:C2
- Valid from: Tuesday, July 05, 2016
- Expires: Friday, July 03, 2026
- Publisher: me@myhost.mydomain, COMODO Certification Authority
and
– Σειριακός Αριθμός: 00:97:65:C4:BF:E0:AB:55:68
- Valid from: Monday, February 15, 2016
- Expires: Thursday, February 12, 2026
- Publisher: me@myhost.mydomain, COMODO Certification Authority
2. Presence malicious script Proxy Automatic Configuration (PAC) που leads into a domain .onion
% onionDomain% /% random% .js, where
% OnionDomain% is an onion domain randomly selected from the configuration file
-% random% is a series of 8 characters of the A-Za-z0-9 alphabet
% PublicIP% is the user's public IP address
For example: http: //e4law7gufljhzfo4.onion.link/xvsP2YiD.js?ip= 100.10.10.100
3. Presence of Android / Spy.Banker.EZ at device Android
(can be checked with ESET Mobile Security)
Users who detect any of the abovementioned indications of violation should take the following measures, in accordance with the advice of ESET security experts:
If you use any of the services from the list below, change your login details and check for suspicious activity (e.g. strange movements on online banking transactions).
1. Remove This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. Proxy Automatic Configuration script (PAC):
2. Remove this certificate.
For preventive protection, use a reliable security solution with special protection for banking and payment services. Also, do not forget to protect your Android device.
Learn more about Trojan Retefe and its connection to cyber-attack in Tesco Bank in a special technical article on the ESET official blog, WeLiveSecurity.com.
