Home Malware Programs Trojans Retefe

Retefe

Posted: October 14, 2014

Threat Metric

Ranking: 14,827
Threat Level: 9/10
Infected PCs: 653
First Seen: October 14, 2014
Last Seen: October 7, 2023
OS(es) Affected: Windows

Retefe is a banking Trojan that intercepts your bank account information, while eschewing any display of symptoms of a major breach in your PC's security. Retefe previously was seen in campaigns against European banks, but new variants of Retefe have been reconfigured to attack customers of Japanese banking sites. As per usual for any high-level threat, specialized anti-malware solutions and PC security professionals should be used to resolve the setting changes that allow Retefe to collect your privileged information. Afterward, contacting your bank personally is highly recommended.

Retefe: the Case of the Vanishing Spyware

Although banking Trojans like Zeus, Trojan.Shylock or Trojan.Komodola all are far from uncommon threats, the majority of these Trojans remain resident on the PC that they attack. Retefe merits additional warnings due to its tactic of deleting itself only after Retefe already has compromised your computer, which allows information to be gathered without your security software detecting any installed threats. As a result, Retefe may only be detected prior to its full payload delivery, which involves modifying your browser settings in 'Man-in-the-Middle' style attacks.

Retefe's browser modifications may cause specified bank websites to deliver account information entered by its holders to non-secure domains. A fake certificate implemented by Retefe prevents the PC user from identifying any lack of genuine SSL protection (which is identifiable by the lock icon displayed near the Web browser's URL bar). In the past, bank sites belonging to nations like Switzerland and Austria were the targets. However, new versions of Retefe have attacked users of such Asian banks as Musashino Bank, Miyazaki Bank, Daishi Bank and Chiba Bank.

Malware researchers particularly emphasize that these MitM attacks do not display any symptoms that could trigger suspicion from Retefe's victims. However, some aspects of Retefe's installation may generate misleading pop-ups (such as installation prompts for fake mobile security applications).

Dealing with the Spyware that's Already Gone

If at all possible, Retefe should be intercepted before its installation. Most Retefe campaigns distribute this threat through spam e-mail messages, which may encompass Trojan installer-based file attachments or links to corrupted websites. These e-mail messages target specific businesses or individuals, and invariably are disguised to resemble the communications of legitimate companies (such as the Zalando e-retailer).

When you suspect that Retefe has compromised your PC, malware experts recommend attending to the breach of your PC's security before making any further use of your Web browser on sensitive websites. DNS settings should be reset, and you should use appropriate system maintenance tools to delete Retefe's certificate from your Windows Registry. After Retefe's system changes have been removed, your bank can provide additional advice on how to deal with any breaches of your account.

Mobile phone users also should take particular steps to guard against the interception of account authentication messages by related threats, such as Retefe's fake mobile app component.

Loading...