[explo1t]

I noticed that there was no thread in this Forum for the Retefe Banking Trojan, so I created one.

There's an ongoing spam campaign targeting Swiss users which sends Word Documents with embedded LNK files to spread Retefe.

References:

http://www.pwncode.club/2017/09/deep-di ... rojan.html
https://www.proofpoint.com/us/threat-in ... -campaigns

It looks like the new variants of Retefe Banking Trojans are not using the Eternal Blue Exploit once again. Maybe, there are plans to update the exploit or add a new variant? :)

[maddog4012]

Samples from https://www.proofpoint.com/us/threat-in ... -campaigns

[c0d3inj3cT]

Retefe Campaign is active again in second week of October 2017 and now spreading it through Macro based Documents.

Samples + IOCs mentioned here: http://www.pwncode.club/2017/10/retefe- ... sm-in.html

Attack flow -> Doc -> Macro -> Powershell -> Retefe

TOR servers: ["igs67efmlcucq57u.onion","jotetnnmfzb42sdw.onion","ou47twzxgnicn7ga.onion","aulqkm5upaqmto3i.onion"]
Logs uploaded to FTP Server: ftp.liwest.at/logs

[ikolor]

thanks

https://www.virustotal.com/#/file/a5a33 ... /detection

[Antelox]

thanks

https://www.virustotal.com/#/file/a5a33 ... /detection

This is the ETERNALBLUE exploit implemented in powershell integrated in Retefe banker.
More information here: https://www.proofpoint.com/us/threat-in ... -campaigns

BR,

Antelox