Kevin Stear

Malspam targets Swiss with Retefe Banking Trojan

Blog Post created by Kevin Stear Employee on Oct 12, 2017

During the first week of October 2017, RSA FirstWatch identified a Malspam campaign targeting Swiss industry with malicious MS Word documents carrying the RETEFE Banking Trojan.


Much of Europe has been routinely targeted by these actors for the last several months, and there is little sign of the RETEFE campaign letting up, as evident in numerous VirusTotal submissions of recent dropper documents:



These dropper hashes are all German language MS Word docs with varying properties are essentially the same W97M/Downloader, where malicious code is located in identical VBA macros.  And upon submitting one of the MS Word delivery document to RSA's pre-release WhatsThisFile service, we are immediately greeted with a threat score of 100.  (Note:  The underlying VBA code streams in each of these Office documents are identical.  The malware author attempted to avoid detection by changing file properties (e.g., Author) on each of the documents.  This resulted in unique file hashes for each document, but, the resulting codeset remained the same). 




Below are snapshots from our Cuckoo detonation (of one of the dropper documents) and the corresponding network traffic as seen by RSA NetWitness, both of which we'll walk through to show how the malicious code delivers a successful RETEFE infection.  (Note: the entire PCAP from our sandbox is available at GitHub - netwitness/retefe: retefe banking trojan.) 



As the document is first opened, embedded VBA code is automatically run via a Document_Open()subroutine contained in the ThisDocument VBA Stream as shown below.



The Document_Open() subroutine begins a long series of de-obfuscation steps which ultimately yields a base-64 encoded payload as shown below.  



This payload is base-64 decoded in order to obtain the second stage of the dropper attack as shown pasted below.



This stage of the attack utilizes PowerShell to launch a hidden window, which attempts to download malware from each of 5 sites specified in the payload.  This payload is launched via the VBA.Shell() command in the f9TZtz1 VBA code stream as shown in the following two WTF screen shots.



NetWitness Endpoint (as shown in the steps and annotated in the graphic below) easily follows this behavior. 

1. This begins the launching of the doc file from Internet Explorer which calls Microsoft Word.

2. Once ‘Enable Content’ is clicked, WINWORD.exe calls powershell to retrieve content from a few different websites and save as 65536.exe.

3. Powershell creates a process with the downloaded content as 65536.exe

4. The exe then calls wscript to launch a javascript file from an extracted RAR archive file.

5. Next wscript is writing a ps1 (powershell) script.

6. Wscript then calls powershell to launch the newly created VHSjWECxz.ps1 file. We also see powershell writing the 7za.exe file.



NetWitness Packets observes the first four download attempts fail (via 404) and catches the successful download of 'wluheol.exe', the actual RETEFE payload, from thomasamericalatina[.]net hosted at 190.0.230[.]91, under a Costa Rican based domain name and web-hosting service, Cyberfuel[.]com.


Below is a Maltego snapshot of the numerous attempted (failed and successful) RETEFE delivery domains with some basic passive DNS enrichment.


With regard to the 'wluheol.exe' payload (locally stored as 65536.exe), WTF shows us some interesting things are going on here (e.g., 'missing file properties' and a 'major linker version does not match fingerprint'), but a more thorough analysis of the payload is warranted.
Now this gets interesting, at the end of 'wluheol.exe' (correct offset and length determined by WTF) payload is a PKZIP file, which once unzipped reveals a Javascript payload that is run by the EXE as the last stage of the infection.
This Javascript is HEAVILY OBFUSCATED and requires many rounds of decoding (e.g., js-1.js -> js-decoded.js  -> js-decoded-2.js -> js-decoded-3.js -> js-decoded-4.js and each of these are payloads that get run), but reveals numerous artifacts that confirm (as detailed in the previous Proofpoint analysis) this is in fact the RETEF banking trojan.  For example, lines like this: 



Decodes to this fun registry key:


HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect

Here are some other strings that are base64 encoded in the payload:



HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL






taskkill /F



taskkill /F /im firefox.exe



taskkill /F /im chrome.exe


The largest of all base64 payloads is in the last sequenced file in the zip (js-decoded-4.js), which contains the base64 decoded blob found in stage 3 (js-decoded-3.js).  It is also ripe with artifacts, but is too big to paste here.  A zip (password 'infected') of all the decoded payloads has been posted to FirstWatch's public github repo at GitHub - netwitness/retefe: retefe banking trojan


During the execution of the malware (as described above), we begin to see some known characteristics and behaviors associated with RETEFE.  The download of Tor and socat are our first keys.



Tor with socat (acting as a proxy) is quickly put to use as the malware establishes command and control (c2) via a number of tor relays, as observed in the highlighted traffic below over ports 9001 and 443.




Again NetWitness Endpoint demonstrates its utility here (as annotated in the steps and graphic below).

8. Powershell is called upon again which launches cmd.exe. This time, it runs bitsadmin to download the TOR client.

9. EXE is called upon to extract the downloaded TOR content into the "C:\Users\analyst\AppData\Roaming\Identities" directory.

10. Next, mshta.exe is called to launch the TOR process.

11. We next see 7za.exe extracting more content into the “Identities” directory after another powershell script was run.

12. Here, we can see the malicious code launch ‘socat.exe’ and started a SOCKS tunnel to a TOR node on ports 5555 and 5588.  It also stopped any running Chrome, Firefox or Internet Explorer browsers.



In addition the the Tor connections, the malware also employs an alternative exfiltration method via FTP to a server hosted on world4you[.]com.  SALES05.log is the exfiltrated file, whose name is based on the infected machine, in this case ‘SALES05’.



This exfiltration is done via the J/S payload in the Zip file at the end of wluheol.exe', where there are several lines of code in the last J/S file that provide some insight into exactly what's being exfiltrated in this log file.  


   LogWrite("OS info: {0}" -f $wininfo -join ");
   LogWrite("Powershell version: {0}" -f $version);
   $pac=Get-ItemProperty 'hkcu:\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\'|Select -expand AutoConfigURL -ErrorAction Stop;
   LogWrite("Pac setted: '$pac'”);
   LogWrite("Certs installed: '{0}'" -f ($Certs -join "; "));
   LogWrite("Proccess list:`n{0}" -f ($proc -join "`n"));
   LogWrite("List dir [{0}]: {1}" -f ($DestTP, (($dirs|Select -expand Name) -join "; ")));
   LogWrite("Av installed: '{0}'" -f ($avlist -join "; "));


It is believed that the actors are/were leveraging the below compromised site to access this FTP exfiltration.



As the infection persists over the course of many hours, we also observed heavy periodic beaconing in NetWitness Packets.



Thanks to Christopher Ahearn, Kent, and Ahmed Sonbol for their contributions to this research.  All related Indicators of Compromise (IOCs) have been added to the FirstWatch C2 Domain and C2 IPs feeds and are available in RSA Live.


Dropper hashes:





RETEFE Delivery domains:







RETEFE Payload hash:



RETEFE C2 domains (Tor relays):









Alternative exfil domain: