win.retefe (Back to overview)

Retefe

aka: Tsukuba, Werdlod
URLhaus      

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

References
https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/
https://github.com/cocaman/retefe
https://www.govcert.admin.ch/blog/33/the-retefe-saga
https://www.govcert.admin.ch/blog/35/reversing-retefe
https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/
https://github.com/Tomasuh/retefe-unpacker
Yara Rules
[TLP:WHITE] win_retefe_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 51 8bf8 ffd6 85c0 }
            // n = 4, score = 6000
            //   51                   | push                ecx
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_1 = { 85f6 7410 6a09 56 }
            // n = 4, score = 6000
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x4028f9
            //   6a09                 | push                9
            //   56                   | push                esi

        $sequence_2 = { 8bf0 85f6 7410 6a09 }
            // n = 4, score = 6000
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x4028f9
            //   6a09                 | push                9

        $sequence_3 = { 8bf0 85f6 7410 6a09 56 }
            // n = 5, score = 6000
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x4028f9
            //   6a09                 | push                9
            //   56                   | push                esi

        $sequence_4 = { 51 57 8bf8 3b7d08 }
            // n = 4, score = 5000
            //   51                   | push                ecx
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax
            //   3b7d08               | cmp                 edi, dword ptr [ebp + 8]

        $sequence_5 = { 8bec 51 57 8bf8 3b7d08 }
            // n = 5, score = 5000
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax
            //   3b7d08               | cmp                 edi, dword ptr [ebp + 8]

        $sequence_6 = { 55 8bec 51 57 8bf8 3b7d08 }
            // n = 6, score = 5000
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax
            //   3b7d08               | cmp                 edi, dword ptr [ebp + 8]

        $sequence_7 = { 6a0f 6a0d 6a9a 6a22 }
            // n = 4, score = 4000
            //   6a0f                 | push                0xf
            //   6a0d                 | push                0xd
            //   6a9a                 | push                -0x66
            //   6a22                 | push                0x22

        $sequence_8 = { 6ad3 6add 6adc 6a11 }
            // n = 4, score = 4000
            //   6ad3                 | push                -0x2d
            //   6add                 | push                -0x23
            //   6adc                 | push                -0x24
            //   6a11                 | push                0x11

        $sequence_9 = { 50 8d45f4 64a300000000 c785e8efffff00000000 }
            // n = 4, score = 4000
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c785e8efffff00000000     | mov    dword ptr [ebp - 0x1018], 0

    condition:
        7 of them
}
Download all Yara Rules