Ourwebsiteusescookies.Bycontinuingtobrowsethesiteyouareagreeingtoouruseofcookies.

Formoredetailsaboutcookiesandhowtomanagethem,seeourCookie
Policy

Securitynews,viewsandinsightfromtheESETexperts

TescoBanknotaloneinbeingtargetedbyRetefemalware
BYPETERSTANCIKPOSTED10NOV201611:00AM

Update(November11th):Forclarification,thisarticleisfocusedonprovidinginformationontheincreasedactivityoftheRetefebankingtrojan,
whichhasbeentargetingvariousbanks,mostlyinSwitzerland,Austria,andtheUK.Whilethisishappeningatthesametimeasnewsbreaking
thatTescoBanksufferedamajorcyberattack,thereisnoconcreteevidencethatRetefeisbehindthis.
TescoBank,whichrecentlysawthousandsofitscustomerslosefundstocybercriminals,hasbeenfoundonthetargetlistofthesocalledRetefe
malware.Thistrojanhorsegoesafterusersonlinebankingcredentials,whichcanbethenmisusedtoconductfraudulenttransactions.Many
morethousandsmightbeatriskasthemalwarestargetlistcontainsseveralotherbanks.
Inastatement,TescoBankschiefexecutiveBennyHigginssaid:TescoBankcanconfirmthat,overtheweekend,someofitscustomers
currentaccountshavebeensubjecttoonlinecriminalactivity,insomecasesresultinginmoneybeingwithdrawnfraudulently.
AccordingtotheBBC,approximately40,000sawsuspicioustransactionsovertheweekendandabout20,000ofthemhadmoneystolen.Tesco
Banklaterconfirmedthataround9,000customerswereaffected.HigginsassuredthatTescowouldcontinuetocooperatewiththeauthorities
andkeeptheircustomersinformedthroughtheirwebsiteandotherchannels.
TescoBankdecidedtotemporarilystoponlinetransactionsfromcurrentaccounts,butleftitsotherservicessuchascashwithdrawals,bothchip
andPINpayments,aswellasallexistingbillpaymentsanddirectdebitsavailableforthecurrentaccountcustomers.Basedonthatdecision,one
canassumethatitscoreinfrastructurehasntbeenaffectedandtherearenoadditionaldetailsthatwouldsuggestotherwise.
OuractivemalwaremonitoringandESETThreatIntelligenceservicesshowthatTescoBankhasrecentlybeenonthetargetlistofRetefetrojan
horse.
Disturbingly,ouranalysisshowsthatthereisquitealengthylistofotherbankslocatedinmanyothercountriesinthismalwarescrosshairs.It
mustalsobesaidthatthiscampaignbeganatleastasfarbackasFebruary2016.(NotethattheRetefemalwarehadalreadybeenactiveeven
priortothisdatebuthadbeenusingdifferenttechniquestoinfectvictimscomputers.)

Ifauserhadbeeninfectedbythismaliciouscodeandtriedtoconnecttoanyofthetargetedonlinebankingservices,themalwaremodifiedthe
bankingwebpageinanattempttoharvestlogoncredentials.
DetectedbyESETasJS/Retefe,thismaliciouscodeisusuallyspreadasanemailattachmentpretendingtobeanorder,aninvoiceorasimilar
file.OnceexecuteditinstallsseveralcomponentsincludinganonymizingserviceTorandusesthesetoconfigureaproxyfortargetedbanking
sites.
Theeffectofthismalwaretechniqueisthatwhenaninfectedusertriestoaccesstheironlinebankingwebsite(fulllistofaffecteddomainsatthe
endoftheblogpost)theyarecovertlyredirectedtoafakecopyinstead.
Retefealsoaddsafakerootcertificatedisguisedasifissuedandverifiedbyawellknowncertificationauthority,Comodo.Thismakesthefraud
verydifficulttospotfromausersperspective.
Thisisnotasecurityissueonthesideofanyoftheaffectedbanks.

Allmajorbrowsers,includingInternetExplorer,MozillaFirefoxandGoogleChromewereaffected.Insomecases,italsotriedtotricktheuser
intoinstallingamobilecomponentofthemalware(detectedbyESETasAndroid/Spy.Banker.EZ).Thismobilecomponentwasthenusedto
bypasstwofactorauthentication.

ESETresearchershavealsoanalyzedanothervariant,detectedasJS/Retefe.B,withaslightlyslimmerstructure.InsteadofusingtheTor,the
cybercriminalsoptedfortheTor2webserviceallowingthemalwaretoaccesstheanonymizationserviceswithoutusingtheTorBrowser.
Retefehasbeenontheradarofsecurityresearchersinthepast,mostrecentlywhenittargetedUKbankingcustomersearlierthisyear.Since
thenithasaddedthemobilecomponentandextendeditslistoftargets.

AmIoneofthevictims?
UsersoftheservicesmentionedbelowareadvisedtomanuallycheckforthefollowingindicatorsofcompromiseoruseESETsRetefeChecker
website:

1.PresenceofoneofthemaliciousrootcertificatesclaimingtobeissuedbyCOMODOCertificationAuthority,withtheissuersemailaddress
settome@myhost.mydomain:
ForMozillaFirefox,gototheCertificateManager:

Forotherbrowsers,lookwithinthesystemwideinstalledrootcertificatesthroughMMC(MicrosoftManagementConsole):

Sofar,wehaveseentwosuchcertificateswithfollowingdetails:
oSerialnumber:00:A6:1D:63:2C:58:CE:AD:C2
oValidfrom:Tuesday,July05,2016
oExpires:Friday,July03,2026
oIssuer:me@myhost.mydomain,COMODOCertificationAuthority,

and
oSerialnumber:00:97:65:C4:BF:E0:AB:55:68
oValidfrom:Monday,February15,2016
oExpires:Thursday,February12,2026
oIssuer:me@myhost.mydomain,COMODOCertificationAuthority,
2.PresenceofmaliciousProxyAutomaticConfigurationscript(PAC)pointingtoa.oniondomain
http://%onionDomain%/%random%.js?ip=%publicIP%
where%onionDomain%isanoniondomainrandomlyselectedfromtheconfigurationfile
%random%isastringof8charactersfromalphabetAZaz09
%publicIP%istheuserspublicIPaddress
Forexample:http://e4loi7gufljhzfo4.onion.link/xvsP2YiD.js?ip=100.10.10.100

3.PresenceofAndroid/Spy.Banker.EZonyourAndroiddevice(canbecheckedusinganapp)

WhatshouldIdoifIaminfectedbyRetefe?
1.Ifyouareusinganyoftheservicesfromthelistoftargetsbelow,changeyourlogoncredentialsaswellascheckforsuspiciousactivity(e.g.
forfraudulenttransactionsinyouronlinebanking).
2.RemovetheProxyAutomaticConfigurationscript(PAC):

3.Deletetheabovementionedcertificate.
4.Forproactiveprotectionuseareliablesecuritysolutionwithdedicatedbankingandpaymentprotection.Anddontforgettoprotect
yourAndroiddeviceaswell.
HatsofftomycolleaguesJurajJnokandZoloRusnkforthetechnicalanalysis.

Listoftargets
*.facebook.com
*.bankaustria.at
*.bawag.com
*.bawagpsk.com
*.bekb.ch
*.bkb.ch
*.clientis.ch
*.creditsuisse.com
*.easybank.at
*.eek.ch
*.gmx.at
*.gmx.ch
*.gmx.com
*.gmx.de
*.gmx.net
*.if.com
*.lukb.ch
*.onba.ch
*.paypal.com
*.raiffeisen.at
*.raiffeisen.ch
*.staticubs.com
*.ubs.com
*.ukb.ch
*.urkb.ch
*.zkb.ch
*abs.ch
*baloise.ch
*barclays.co.uk
*bcf.ch
*bcj.ch
*bcn.ch
*bcv.ch
*bcvs.ch
*blkb.ch
*business.hsbc.co.uk
*cahoot.com

*cash.ch
*cic.ch
*cooperativebank.co.uk
*glkb.ch
*halifaxonline.co.uk
*halifax.co.uk
*juliusbaer.com
*lloydsbank.co.uk
*lloydstsb.com
*natwest.com
*nkb.ch
*nwolb.com
*oberbank.at
*owkb.ch
*postfinance.ch
*rbsdigital.com
*sainsburysbank.co.uk
*santander.co.uk
*shkb.ch
*smile.co.uk
*szkb.ch
*tescobank.com
*ulsterbankanytimebanking.co.uk
*valiant.ch
*wir.ch
*zuercherlandbank.ch
accounts.google.com
clientis.ch
cs.directnet.com
ebanking.gkb.ch
eb.akb.ch
ebanking.raiffeisen.ch
hsbc.co.uk
login.live.com
login.yahoo.com
mail.google.com
netbanking.bcge.ch
onlinebusiness.lloydsbank.co.uk
tb.raiffeisendirect.ch
uko.ukking.co.uk
urkb.ch
www.banking.co.at
www.hsbc.co.uk
www.oberbankbanking.at
wwwsec.ebanking.zugerkb.ch
Followus

Signuptoournewsletter
Thelatestsecuritynewsdirecttoyourinbox
Email...

Submit