The latest variant of “Retefe” has expanded its target list to include several financial institutions in Japan.
Retefe is a smart piece of malware. It installs a root certificate on the victim’s machine, changes DNS settings and then deletes itself. This allows the attacker to put himself in between the host and the target and conduct a real time Man in The Middle attack. Our friends at SWITCH have made a fine Retefe diagram that exactly shows how the attack is conducted:
This new variant of Retefe, which was spammed to random recipients, was seeded from a compromised web site that the victim was lured to visit, as it was linked in the spam e-mail:
http://www.visachina.ch/contenido_new/templates/standard/widgets/gtrcturutxuimrticr.exe (malware has been removed)
This code expands it’s target list to also include several banks in Japan as posted below:
aa.mizuhobank.co.jp
chibabank.co.jp
www.chibabank.co.jp
ib.chibabank.co.jp
82bank.co.jp
www.82bank.co.jp
direct1.82bank.co.jp
chugin.co.jp
www.chugin.co.jp
direct.chugin.co.jp
direct.jp-bank.japanpost.jp
awabank.co.jp
www.awabank.co.jp
ib.awabank.co.jp
daishi-bank.co.jp
www.daishi-bank.co.jp
ib.daishi-bank.co.jp
hokkokubank.co.jp
www.hokkokubank.co.jp
ib.hokkokubank.co.jp
musashinobank.co.jp
www.musashinobank.co.jp
www2.musashinobank.co.jp
ib1.musashinobank.co.jp
yamagatabank.co.jp
www.yamagatabank.co.jp
ib1.yamagatabank.co.jp
miyagin.co.jp
www.miyagin.co.jp
mib.miyagin.co.jp
www.parasol.anser.ne.jp
The attack relies on a rogue DNS server located in Russia: 91.237.198.136. Traffic observed going to this DNS server should be investigated as a potential compromise.
Refete was previously abused in what Trendmicro dubbed “Operation Emmental”:
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf
A fine analysis, written in German, was also published by SWITCH:
http://securityblog.switch.ch/2014/07/22/retefe-bankentrojaner/