Criminals behind the Retefe banking Trojan have added a new component to their malware that uses the NSA exploit EternalBlue.
The update makes Retefe the latest malware family to adopt the SMBv1 attack against a patched Windows vulnerability, and could signal an emerging trend, said researchers at Proofpoint. Earlier this year, researchers at Flashpoint observed the TrickBot banking Trojan had added an EternalBlue module as well.
While Retefe has never reached the scale or reputation of similar Trojans such as Dridex or Zeus, it is notable for its interesting implementations and consistent regional focus in Austria, Sweden, Switzerland, Japan and more recently the United Kingdom, researchers said.
“Unlike Dridex or other banking Trojans that rely on webinjects to hijack online banking sessions, Retefe operates by routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network,” said Proofpoint in a technical post Thursday explaining its research.
Over the past several months, researchers have observed a wave of new Retefe campaigns consisting of unsolicited emails containing malicious Microsoft Office documents. Attachments contain embedded Package Shell Objects, or Object Linking and Embedding Objects, that are typically Windows Shortcut “.lnk” files, researchers said.
“We first observed the ‘pseb:’ parameter on Sept. 5. The ‘pseb:’ configuration implements the EternalBlue exploit, borrowing most of its code from a publicly available proof-of-concept,” researchers wrote.