Banking Trojan uses false certificate

"The possible link between the massive attack on Tesco Bank, where thousands of customers lost their savings, and the Retefe banking Trojan is scary," commented Peter Stančík, ESET Security Evangelist.

In its current form, the so-called JS/ Retefe malware has been active since at least February 2016. It searches for users' online banking credentials and then misuses them to conduct fraudulent transactions.

malicious attachment

Detected by ESET as JS/Retefe, the malicious code is usually distributed as an email attachment. In most cases, the mail pretends to contain an invoice from a mail-order company. Once the attachment is opened, several components are installed, including the Tor anonymization service. This is used to configure a proxy for selected banking sites.

In some cases, the malware tried to trick the user into installing a mobile app. ESET detects this threat as Android/Spy.Banker.EZ. The app was used to bypass two-factor authentication.

Forged certificate

Retefe has a fake "root certificate". It gives the impression that it was issued and verified by the well-known certification authority Comodo. From the user's perspective, the fraud is very difficult to detect.

Security researchers had already become aware of Retefe in the past. Most recently, bank customers in the UK fell victim to the Trojan. Since then, it has added further mobile components and expanded the target list. Affected institutions include major banks in Switzerland, the UK and Austria, as well as popular services such as Facebook and PayPal.

"The possible link between the massive attack on Tesco Bank, where thousands of customers lost their savings, and the Retefe banking Trojan is scary," commented Peter Stančík, ESET Security Evangelist.

Users of the affected services are advised to manually check certain compatibility indicators or use ESET's automated Retefe Checker website.

A step-by-step guide can be found on the ESET blog WeLiveSecurity under this Link

www.eset.com/ch-de