Retefe Banking Trojan Uses Root Certificate to Target Customers of UK Banks

Discussion in 'malware problems & news' started by itman, Jun 27, 2016.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    http://news.softpedia.com/news/rete...-to-target-customers-of-uk-banks-505679.shtml

    Retefe Banking Trojan Uses Root Certificate to Target Customers of UK Banks

    The most recent Retefe campaign leverages spam email that distributes documents laced with malicious JavaScript code.

    When users open the document and double-click an image embedded inside it, the JS code does two things. It first downloads and installs a rogue root certificate, and then changes the operating system's proxy auto-config settings.

    Retefe adds its own root certificate, changes proxy settings

    When installing the root certificate, users barely get a glimpse of a popup that asks them to confirm the action, because the trojan uses a PowerShell script to automatically click yes in this popup.

    Avast researchers have broken down Retefe's most recent trick, and they say the popup (seen below) asks the user to approve the installation of a root certificate that claims to be from Comodo. In fact, Avast explains the certificate is issued by "
    me@myhost.mydomain" and has nothing to do with Comodo.

    While all this is happening, Retefe is also setting up a proxy connection, which will redirect some traffic through a Tor website.

    Crooks target a few UK banks (NatWest, Barclays, HSBC, Santander, UlsterBank, Sainsbury's Bank, Tesco Bank, Cahoot, IF.com), but also generic traffic going to *.com, *.co.uk domains.


     
  2. Yash Khan

    Yash Khan Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    1,837
    So does security software that install their own certs for banking, etc... protect against the mentioned attack?
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The security vendors whom perform SSL/TLS protocol scanning for the most part do not use a local host proxy server to decrypt and scan encrypted traffic. They install a NDIS mini-port network adapter driver to do the scanning at the network stack level.

    For a parallel to what this malware is performing, refer to prior postings on the Lenovo Superfish issue that occurred a while back.
     
Loading...