This presentation by Jaromir Horejsi and Jan Sirmer (Avast Software) was delivered at VB2016 in Denver, CO, USA.
Much media attention is given to imminent and visible threats, like ransomware. Other threats remain under the radar and often go unnoticed. Malicious proxies are one of these threats.
Redirections are made via proxies and are only activated in certain situations. Internet web browser settings are modified slightly, so that a very small (less than 1KB), and often obfuscated proxy auto-config file is queried from the configuration server. If a victim browses particular websites, such as banking sites, they are redirected to fake or malicious domains that look more or less identical to real sites. Other than that, infected computers behave normally and victims usually don’t notice anything out of the ordinary. All the credentials victims enter into fake sites are harvested by cybercriminals. This allows for a variety of attacks, including MitM and SSL impersonation, which may later lead to identity theft, unauthorized account access, and financial loss.
In our talk, we will discuss the Retefe banking trojan, which celebrated its comeback in the summer of 2016. There have been several changes made to Retefe, including, but not limited to, the structure of the delivered payload, geographical distribution, and targeted online banking systems. Spread via malicious email attachments, a few malicious scripts are dropped and executed, a rogue certificate is installed, and proxy configurations of victims’ browsers are changed. Unlike the previous waves, the latest waves target banking users in the UK. The particular waves differ from one another, for example, by installing third-party tools and libraries (Tor, Proxifier, etc.), using different methods of persistence, and the addition of more targeted financial institutions.
We will show a detailed infection vector, as well as ways of targeting and changing the settings of various web browsers. We will reverse engineer all the malware components coming from the various waves, and finally show original and fake websites as seen from both clean and infected computers. We will also show the statistics and severity of this threat, as seen by our userbase. Although it is quite simple from a technical point of view, Retefe is quite powerful and efficient in reaching its unpleasant goals.