The email with the subject "Von Ihrem Konto ist 78 Franken abgebucht" contains a 'docx' file named "Credit_Zahlung.docx". Looking deeper, I found quite a few more emails sent around the same time but with different attachments names and subjects, but all of them on behalf of the same Swiss Financial Institution.
The 'docx' file contains an embedded image with a text message inviting to double click in order to see the invoice.
Looking to the file with oledump.py, in Remnux, I see some obfuscated .JS script code inside the DOCX file
I did not deobfuscated the .JS script code, however when I executed the code I saw that several applications were installed and executed. One of them is a Proxy tool (Proxifier) and the other is a Tor client.
The proxy tool is setup to forward all the traffic to some specific URLs through a localhost connection, which in reality is the Tor connection established. The set of URL that goes through the Tor connection are many Swiss banks and Austrian banks. This is how Retefe malware operates to steal the username/passwords of the customers. Luis Rocha explained it some months ago in his blog.
The list of domains affected are
*postfinance.ch
cs.directnet.com
eb.akb.ch
*.ubs.com
tb.raiffeisendirect.ch
*.bkb.ch
*.lukb.ch
*.zkb.ch
*.onba.ch
e-banking.gkb.ch
*.bekb.ch
wwwsec.ebanking.zugerkb.ch
netbanking.bcge.ch
*.raiffeisen.ch
*.credit-suisse.com
*.bankaustria.at
*.bawagpsk.com
*.raiffeisen.at
*.static-ubs.com
*.bawag.com
*.clientis.ch
clientis.ch
*bcvs.ch
*cic.ch
www.banking.co.at
*oberbank.at
www.oberbank-banking.at
*baloise.ch
*.ukb.ch
urkb.ch
*.urkb.ch
*.eek.ch
*szkb.ch
*shkb.ch
*glkb.ch
*nkb.ch
*owkb.ch
*cash.ch
*bcf.ch
*.easybank.at
ebanking.raiffeisen.ch
*.onion
*bcv.ch
*juliusbaer.com
*abs.ch
*bcn.ch
*blkb.ch
*bcj.ch
*zuercherlandbank.ch
Looking to the HTTPS certificate we can see that the CA is Comodo, however this is totally a fake certificate which has been imported during the infection to fool the user and avoid the browser warnings.
Actually, for that specific domain the original certificate has been signed by Symantec CA.
Finally, the mimic website requests to introduce the phone number in order to install a maliciuos APK and be able to retrieve the 2FA token.
About this malicious APK I wrote several posts:
http://blog.angelalonso.es/2016/01/2nd-part-of-timba-malware-analysis-apk.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-preparing.html
http://blog.angelalonso.es/2015/10/decrypting-emmental-blowfish-and-base64.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
http://blog.angelalonso.es/2015/10/malware-analysis-with-androguad.html
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
http://blog.angelalonso.es/2016/01/2nd-part-of-timba-malware-analysis-apk.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-preparing.html
http://blog.angelalonso.es/2015/10/decrypting-emmental-blowfish-and-base64.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
http://blog.angelalonso.es/2015/10/malware-analysis-with-androguad.html
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html
http://blog.angelalonso.es/2015/10/android-memory-analysis-iii-analyzing.html
In essence the TTP from this Threat Actors has not changed that much. However the tool Proxifier to redirect the traffic is something recently introduced.
