Home / malwarePDF  

Trojan:Win32/Retefe.A


First posted on 28 February 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Retefe.A.

Explanation :

Threat behavior

Trojan:Win32/Retefe.A has been used in a number of targeted attacks. We have seen it used in various forms, including packed with UPX, and protected by custom packers to deter detection by security products.

Installation


It is usually distributed by targeted email phishing attacks. The phishing email tries to look like it comes from a legitimate company, such as that shown below.



When the attached file is run by the victim, Trojan:Win32/Retefe.A is downloaded and installed to %ALLUSERSPROFILE%. We have seen it use the file name netupdater.exe.

It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "%ALLUSERSPROFILE%.\.exe"

To remain undetected Trojan:Win32/Retefe.A can show a message window suggesting an update needs to be installed when it needs to run as administrator. The malware can use a message in different languages, including German and English.





Payload

Steals sensitive information

Trojan:Win32/Retefe.A can steal sensitive information from your PC, such as your online user names and passwords. It does this by installing a fake self-signed certificate and intercepting traffic through your Internet browser.

It installs a fake self-signed certificate with the thumbprint 3DDF56A7004D90034D77E2D97F68C56FAA3C93AD:



It then installs the self-signed certificate to be used by the Firefox browser.

It also changes the DNS server to an IP address of a server controlled by the attacker. We have seen the following IP addresses being used:

  • 193.169.244.191
  • 93.171.202.99


Stops processes

Trojan:Win32/Retefe.A terminates the following processes if they are running:

  • iexplore.exe
  • firefox.exe
  • chrome.exe




Analysis by Daniel Radu

Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: ""
    With data: "%ALLUSERSPROFILE%.\.exe"
  • You see one of these pop-ups:



Last update 28 February 2014

 

TOP

Malware :

Family: