430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Retefe banking Trojan leverages EternalBlue exploit to infect Swiss users

Cyber criminals behind the Retefe banking Trojan have improved it by adding a new component that uses the NSA exploit EternalBlue. ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack and NotPetya massive attacks. ETERNALBLUE targets the SMBv1 protocol and it has become widely adopted in the community of malware developers. Investigations on WannaCry, for […]

Retefe banking Trojan leverages EternalBlue exploit to infect Swiss users

retefe eternalblue

Cyber criminals behind the Retefe banking Trojan have improved it by adding a new component that uses the NSA exploit EternalBlue.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack and NotPetya massive attacks.

ETERNALBLUE targets the SMBv1 protocol and it has become widely adopted in the community of malware developers.

Investigations on WannaCry, for example, revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit. In August, a new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread, earlier this year, researchers at Flashpoint observed the TrickBot banking Trojan also included an EternalBlue module as well.

Cyber criminals behind the Retefe banking Trojan have improved it by adding a new component that uses the NSA exploit EternalBlue.

“The Retefe banking Trojan has historically targeted Austria, Sweden, Switzerland and Japan, and we have also observed it targeting banking sites in the United Kingdom. While it has never reached the scale or notoriety of better-known banking Trojans such as Dridex or Zeus, it is notable for its consistent regional focus, and interesting implementation.” states the analysis published by ProofPoint.

“Unlike Dridex or other banking Trojans that rely on webinjects to hijack online banking sessions, Retefe operates by routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network,” 

Researchers have observed a wave of phishing messages using weaponized Microsoft Office documents. containing embedded Package Shell Objects, or Object Linking and Embedding Objects, that are typically Windows Shortcut “.lnk” files, researchers said.

Once the user opened the shortcut accepting the security warning, he triggers the execution of a PowerShell command that download of a self-extracting Zip archive hosted on a remote server.

retefe eternalblue

The Zip archive contains an obfuscated JavaScript installer that includes several configuration session parameters. According to the malware researchers, one of the parameters (“pseb:”) has been added to refer the execution of a script that implements the EternalBlue exploit. The configuration observed on September 5 included the feature to log the installation and the configuration of the victim.

“We first observed the “pseb:” parameter on September 5. The “pseb:” configuration implements the EternalBlue exploit, borrowing most of its code from a publicly available proof-of-concept posted on GitHub. It also contains functionality to log the installation and victim configuration details, uploading them to an FTP server. On September 20, the “pseb:” section had been replaced with a new “pslog:” section that contained only the logging functions.” continues the analysis.

The malicious code downloads a PowerShell script from a remote server that includes an embedded executable that installs Retefe.

According to the experts, the threat actor behind this new version of Retefe conducting increasingly targeted attacks and included the EternalBlue exploit to improve the malware propagation.

On Sept.20, the “pseb:” section had been replaced with a new “pslog:” section that includes only the EternalBlue logging functions.

“This installation, however, lacks the the “pseb:” module responsible for further lateral spread via EternalBlue, thus avoiding an infinite spreading loop.” states ProofPoint.

Organizations should patch against the EternalBlue exploit, they should also block associated traffic in IDS systems and firewalls.

“Companies should also block associated traffic in IDS systems and firewalls and block malicious messages (the primary vector for Retefe) at the email gateway,” concludes Proofpoint.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – EternalBlue exploit, banking Trojan)

[adrotate banner=”13″]