Wednesday, October 12, 2016

Malicious email campaign mimicking Swiss Financial Institutions: Retefe again.

Yesterday, while I was investigating something else I ended up with some malicious email impersonating a Swiss bank.  

The email with the subject "Von Ihrem Konto ist 78 Franken abgebucht" contains a 'docx' file named  "Credit_Zahlung.docx". Looking deeper, I  found quite a few more emails sent around the same time but with different attachments names and subjects, but all of them on behalf of the same Swiss Financial Institution.

The 'docx' file contains an embedded image with a text message inviting to double click in order to see the invoice.






Looking to the file with oledump.py, in Remnux, I see some obfuscated .JS script code inside the DOCX file







I did not deobfuscated the .JS script code, however when I executed the code I saw that several applications were installed and executed. One of them is a Proxy tool (Proxifier) and the other is a Tor client.





The proxy tool is setup to forward all the traffic to some specific URLs through a localhost connection, which in reality is the Tor connection established. The set of URL that goes through the Tor connection are many Swiss banks and Austrian banks. This is how Retefe malware operates to steal the username/passwords of the customers. Luis Rocha explained it some months ago in his blog.




The list of domains affected are

*postfinance.ch
cs.directnet.com
eb.akb.ch
*.ubs.com
tb.raiffeisendirect.ch
*.bkb.ch
*.lukb.ch
*.zkb.ch
*.onba.ch
e-banking.gkb.ch
*.bekb.ch
wwwsec.ebanking.zugerkb.ch
netbanking.bcge.ch
*.raiffeisen.ch
*.credit-suisse.com
*.bankaustria.at
*.bawagpsk.com
*.raiffeisen.at
*.static-ubs.com
*.bawag.com
*.clientis.ch
clientis.ch
*bcvs.ch
*cic.ch
www.banking.co.at
*oberbank.at
www.oberbank-banking.at
*baloise.ch
*.ukb.ch
urkb.ch
*.urkb.ch
*.eek.ch
*szkb.ch
*shkb.ch
*glkb.ch
*nkb.ch
*owkb.ch
*cash.ch
*bcf.ch
*.easybank.at
ebanking.raiffeisen.ch
*.onion
*bcv.ch
*juliusbaer.com
*abs.ch
*bcn.ch
*blkb.ch
*bcj.ch
*zuercherlandbank.ch




Proxifier is able to redirect the traffic for Internet Explorer, Firefox and Chrome. In the screenshot below there is connection by Chrome redirected through the proxy to an Onion URL  http://v7yxqrahkza3ewuv.onion



Looking to the HTTPS certificate we can see that the CA is Comodo, however this is totally a fake certificate which has been imported during the infection to fool the user and avoid the browser warnings.


Actually, for that specific domain the original certificate has been signed by Symantec CA.






In essence the TTP from this Threat Actors has not changed that much. However the tool Proxifier  to redirect the traffic is something recently introduced.