A trojan banking malware campaign has returned and now it’s leveraging EternalBlue — the leaked NSA surveillence exploit — to target Swiss financial institutions.
Developed by the NSA but revealed to the world by a hacking group, the EternalBlue Windows security flaw exploits a version of Windows’ Server Message Block (SMB) networking protocol to spread itself across an infected network using worm-like capabilities.
It was by using the EternalBlue exploit that May’s WannaCry ransomware attack was able to spread so quickly. The tool was soon adopted by cybercriminal groups looking to make their malware more powerful — and now it’s being used to steal credentials and cash from Swiss banks by the group behind the Retefe malware.
Active since 2013, the Retefe banking trojan isn’t as notorious as the likes of Dridex, but targets banks in the UK, Switzerland, Austria, Sweden, and Japan. It has also been known to target Mac users.
Unlike other banking trojans, which rely on webinjects to hijack online banking sessions, Retefe routes traffic to and from the target banks through proxy servers hosted on the TOR network. These proxy sites host phishing pages designed to look like the the targeted bank’s login page in order to steal credentials from victims, providing access to accounts for theft and fraud.
Retefe is typically delivered via phishing emails containing malicious Microsoft Office documents containing embedded Package Shell Objects — although some contain malicious macros instead. If the user runs the file, a PowerShell command will run the malicious payload and install the code.
Now researchers at Proofpoint have discovered that the payload contains the configuration for EternalBlue, with code taken from a publically available proof-of-concept for the exploit posted in a dump on GitHub. The tool is now used to download the PowerShell script which installs Retefe.
While the addition of EternalBlue, malware can spread across networks. This particular installation of the exploit lacks the module responsible for infinitely spreading the malware as WannaCry did.
However, researchers note that the attackers behind Retefe could be merely experimenting with EternalBlue for now — and that they could roll out the leaked exploit in full force in future.
“It is possible that the addition of limited network propagation capabilities may represent an emerging trend for the threat landscape as 2018 approaches,” wrote Proofpoint researchers.
Indeed, those behind Retefe aren’t the only threat actors looking to leverage EternalBlue to make malware more powerful. The attack group behind the Trickbot malware has also been experimenting with deploying the exploit.
Following the public release of the leaked NSA hacking tools, Microsoft released patches designed to protect users from falling victim to attacks using EternalBlue.
However, as demonstrated by the extent which WannaCry spread, many organisations simply aren’t applying the critical updates released to prevent them from becoming victims of attacks leveraging the tools.
READ MORE ON CYBERCRIME