Another day another malware, that seems to be the new order, literally every day we are coming across a new species of malware that is capable of creating havoc but the good thing is security research firms like ESET ensure that the anti-malware program matches up with the malware. The latest one seems to Retefe, a malware that usually targets banking organizations and also social media sites including Facebook.
What is Retefe Banking Trojan
The Retefe malware executes a Powershell script which will modify the browser proxy settings and installs a malicious root certificate that will be falsely claimed to have been installed by a well-known certification authority called Comodo. That said some variants might also install Tor and Proxifier and eventually schedule the same to be launched automatically with the help of Task Scheduler.
It’s clearly a case of Man-in-the-Middle attack wherein the victim tries to make a connection with an online banking web page that matches the configuration list in the Retefe file. This is when the malware springs into action and modifies the banking web page and will phish user credentials and will also trick the users into installing the mobile component of the malware. The worst part is that the mobile components bypass the two-factor authentication with the help of mTANs. Also, all the major browsers including Internet Explorer, Google Chrome, and Mozilla Firefox are affected by this bug.
Eset Retefe Checker
One can manually check for the presence of the malicious root certificates which is falsely claimed to have been issued by COMODO Certification Authority and the issuer’s email is set to me@myhost .mydomain.
If you are a Mozilla Firefox user, head over to Certificate Manager and check the field value. For browsers other than Mozilla have a look at the system-wide installed Root Certificates via the Microsoft Management Console. You need to check for the presence of malicious Proxy Automatic Configuration script (PAC) which points out to a .onion domain.
You can also download Eset Retefe Checker and run the tool. However, Retefe Checker might also sometimes trigger a false alarm and it’s for this reason that users should check manually too.
As precautions, you could change your login credentials on some of the major sites that you use. Remove the Proxy Automatic Configuration script by deleting the certificate as shown in the screenshot below and then once done you can start using an anti-malware of your choice to avoid such intrusions.
You can read more about the manual removal process and download the Eset Retefe Checker from Eset.com here.