Jump to content

This malware just got more powerful by adding the WannaCry trick to its arsenal


Phantomboxe

Recommended Posts

The Retefe banking trojan is now using the EternalBlue exploit that helped spread WannaCry to make attacks more effective.

 

istock-zurich-switzerland.jpg

Swiss banks represent a lucrative target for cybercriminals.

 

A trojan banking malware campaign has returned and now it's leveraging EternalBlue -- the leaked NSA surveillence exploit -- to target Swiss financial institutions.

 

Developed by the NSA but revealed to the world by a hacking group, the EternalBlue Windows security flaw exploits a version of Windows' Server Message Block (SMB) networking protocol to spread itself across an infected network using worm-like capabilities.

 

It was by using the EternalBlue exploit that May's WannaCry ransomware attack was able to spread so quickly. The tool was soon adopted by cybercriminal groups looking to make their malware more powerful -- and now it's being used to steal credentials and cash from Swiss banks by the group behind the Retefe malware.

 

Active since 2013, the Retefe banking trojan isn't as notorious as the likes of Dridex, but targets banks in the UK, Switzerland, Austria, Sweden, and Japan. It has also been known to target Mac users.

 

Unlike other banking trojans, which rely on webinjects to hijack online banking sessions, Retefe routes traffic to and from the target banks through proxy servers hosted on the TOR network. These proxy sites host phishing pages designed to look like the the targeted bank's login page in order to steal credentials from victims, providing access to accounts for theft and fraud.

 

Retefe is typically delivered via phishing emails containing malicious Microsoft Office documents containing embedded Package Shell Objects -- although some contain malicious macros instead. If the user runs the file, a PowerShell command will run the malicious payload and install the code.

 

Now researchers at Proofpoint have discovered that the payload contains the configuration for EternalBlue, with code taken from a publically available proof-of-concept for the exploit posted in a dump on GitHub. The tool is now used to download the PowerShell script which installs Retefe.

 

While the addition of EternalBlue, malware can spread across networks. This particular installation of the exploit lacks the module responsible for infinitely spreading the malware as WannaCry did.

 

However, researchers note that the attackers behind Retefe could be merely experimenting with EternalBlue for now -- and that they could roll out the leaked exploit in full force in future.

 

"It is possible that the addition of limited network propagation capabilities may represent an emerging trend for the threat landscape as 2018 approaches," wrote Proofpoint researchers.

 

Indeed, those behind Retefe aren't the only threat actors looking to leverage EternalBlue to make malware more powerful. The attack group behind the Trickbot malware has also been experimenting with deploying the exploit.

 

Following the public release of the leaked NSA hacking tools, Microsoft released patches designed to protect users from falling victim to attacks using EternalBlue.

 

However, as demonstrated by the extent which WannaCry spread, many organisations simply aren't applying the critical updates released to prevent them from becoming victims of attacks leveraging the tools.

 

source:

http://www.zdnet.com/article/this-malware-just-got-more-powerful-by-adding-the-wannacry-trick-to-its-arsenal/

https://www.scmagazineuk.com/eternalblue-exploit-used-in-swiss-campaigns-by-retefe-malware/article/695309/

Link to comment
Share on other sites

  • Replies 4
  • Views 582
  • Created
  • Last Reply

Retefe = how to rob a bank by using just your computer & help from NSA's stupidity.

Seems like 2018's gonna be the year of iWannaDie....

Link to comment
Share on other sites

1 hour ago, JimmySvert said:

Retefe = how to rob a bank by using just your computer & help from NSA's stupidity.

Seems like 2018's gonna be the year of iWannaDie....

Retefe is using a virus that was patched in  windows 59 days before wantacry  was ever released

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

People who got hit by it were people who didn't do windows updates .. and Retefe  is using the same virus it was patched long ago they seem sort of hard up too use a exploit that been patched  but they are still some who think it's best not too /or just to lazy too do windows update that are vulnerable . :lol:

Link to comment
Share on other sites

1 hour ago, steven36 said:

 

People who got hit by it were people who didn't do windows updates .. and Retefe  is using the same virus it was patched long ago they seem sort of hard up too use a exploit that been patched  but they are still some who think it's best not too /or just to lazy too do windows update that are vulnerable . :lol:

 

i suppose these people are banks, investment companies etc.

Link to comment
Share on other sites

44 minutes ago, JimmySvert said:

 

i suppose these people are banks, investment companies etc.

Well if they don't do this update they must  have some sorry ITs ..When wanacry hit the ITs at my moms work told  them that they had already patched  it in March and not too open emails from no one they were not expecting any from  looks like most all businesses would of done got this update by now they even made it available for XP.  The OP says you're safe from the virus as long as you done these updates . That's  why this out break was not very effective in my country . Petya Ransomware did more damage in my country than wantacry did because the virus infected some software.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...