[News] Trojan against Swiss, Japanese, Austrian, Swedish banks

In recent days, several clients Swiss banks may be potential victims of a Trojan horse. According to various sources, a group of hackers have launched a massive attack against e-banking accounts of 12 Swiss banks. The trojan is called “Retefe” and  this attack has been publicly published by TrendMicro.

Attack – Step 1 – Phishing + information gathering

The client opens a spam, which “releases” the virus (only if the client runs the attachment, often a rtf file). The malicious program disappears once the infection was successful. As soon as the client opens an e-banking session, it is redirected to a fake server (the one of the hackers), on which a copy of his bank Internet page (phishing attack) appears. The customer then enters their security credentials, which are now in hands of the hackers.

Attack – Step 2 – Software installation

After step 1, the hackers have the credentials of the client but often this is not enough. In many banks, the client must enter his client number and a password, then, if this couple is correct, he receives a SMS with a number to copy in a field of the web page. To have this code, the hackers invite the client to install an application on his mobile phone. This application is able to transfer the code present in the SMS to the hackers. After that, hackers have full control of the client e-banking.

Attack – 2 small modifications

When the user runs the attached file, the trojan is downloaded and installed to %ALLUSERSPROFILE%. Apparently it uses the name netupdater.exe. It modifies the following registry entry so that it runs each time the computer start:

  • in subley :  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Sets Value: “<Malware name>”
  • With data: %ALLUSERSPROFILE%.\<Malware Name>.exe”

To remain undetected it can show a message window suggesting an update needs to be installed when it needs to run as administrator. The malware can use a message in different languages, including German and English.

132e2662204b19bb

After that, this trojan can steal sensitive information such as your online user names and passwords. It does this by installing a fake self-signed certificate in the browsers. After that, it changes the DNS server to an IP address of the hacker’s server.

Recommendations

In terms of e-banking, the following recommendations are, however, valid at all times.

  • Banks never ask their clients to provide credentials or install an application on a smartphone
  • Updated antivirus software should always be installed on the machine
  • It should enable the firewall (Firewall) and updated regularly
  • The operating system and the browser installed on the computer must be updated. It is the same for all installed programs, such as Microsoft Office, Adobe Reader etc
  • The greatest caution is facing e-mails from unknown sources: do not open the email or attachments, do not click on links in the message
  • It should not follow the requests of unknown source asking to install an application on the smartphone or a so-called “security certificate” Important for Android users:
    • Only install applications from the “Google Play Store” Official
    • Check that the “unknown sources” option is disabled in the security settings
    • Check the option “Check applications” is enabled in the security settings

Hackers DNS lists

  • 5.39.219.212
  • 193.169.244.73
  • 193.169.244.191
  • 93.171.202.99
  • 78.108.179.81

Conclusion

Customers can easily know if they are affected by this attack. If during a session the e-banking customer has been prompted to install an application on his phone, he is one of the victims of this attack. “In this caseit is necessary to inform his bank as soon as possible to stop any abusive transactions.

According to Microsoft, this trojan is also used in fake mails on behalf of Zalando. To have more information about this trojan, please consult these links:

pdf-logoDownload TrendMicro Report

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.