Malicious email campaign mimicking Swiss Financial Institutions: Retefe again (III)

Following last two posts, this is a quick update as I have detected that some new Swiss banks have been added to the list of victims of Retefe (since last time I checked some weeks ago)

These are:

 *valiant.ch;*
 *wir.ch;
 *bankthalwil.ch;
 *piguetgalland.ch;
 *triba.ch;
 *inlinea.ch;
 *bernerlandbank.ch;
 *bancasempione.ch;
 *bsibank.com;
 *corneronline.ch;
 *vermoegenszentrum.ch;
 *gobanking.ch;
 *slbucheggberg.ch;
 *slfrutigen.ch;
 *hypobank.ch;
 *regiobank.ch;
 *rbm.ch;
 *hbl.ch;
 *ersparniskasse.ch;
 *ekr.ch;*
 sparkasse-dielsdorf.ch;
 *eki.ch;
 *bankgantrisch.ch;
 *bbobank.ch;
 *alpharheintalbank.ch;
 *aekbank.ch;*
 *acrevis.ch

Also, the Cyber Criminals have changed the way the malicious payload is weaponized through a malicious 'docx'.. Instead os using a JS script, now they are using an executable EXE: