EternalBlue Exploit Used in Retefe Banking Trojan Campaign

Criminals behind the Retefe banking Trojan have added a new component to their malware that uses the NSA exploit EternalBlue.

The update makes Retefe the latest malware family to adopt the SMBv1 attack against a patched Windows vulnerability, and could signal an emerging trend, said researchers at Proofpoint. Earlier this year, researchers at Flashpoint observed the TrickBot banking Trojan had added an EternalBlue module as well.

While Retefe has never reached the scale or reputation of similar Trojans such as Dridex or Zeus, it is notable for its interesting implementations and consistent regional focus in Austria, Sweden, Switzerland, Japan and more recently the United Kingdom, researchers said.

“Unlike Dridex or other banking Trojans that rely on webinjects to hijack online banking sessions, Retefe operates by routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network,” said Proofpoint in a technical post Thursday explaining its research.

Over the past several months, researchers have observed a wave of new Retefe campaigns consisting of unsolicited emails containing malicious Microsoft Office documents. Attachments contain embedded Package Shell Objects, or Object Linking and Embedding Objects, that are typically Windows Shortcut “.lnk” files, researchers said.

If the user opens the shortcut and accepts the security warning that appears, a PowerShell command initiates the download of a self-extracting Zip archive hosted on a remote server. The Zip archive contains an obfuscated JavaScript installer.

When researchers de-obfuscated the JavaScript installer they found several configuration session parameters. In recent weeks, researchers said, a “pseb:” parameter has been added which references a script that implements the EternalBlue exploit that can be used to spread laterally within targeted networks.

“We first observed the ‘pseb:’ parameter on Sept. 5. The ‘pseb:’ configuration implements the EternalBlue exploit, borrowing most of its code from a publicly available proof-of-concept,” researchers wrote.

Read more…

Source: ThreatPost