{
	"id": "3ab33da0-18b3-4ab5-81a6-e4fe7762a4e4",
	"created_at": "2026-04-06T00:17:45.600003Z",
	"updated_at": "2026-04-10T13:12:11.802836Z",
	"deleted_at": null,
	"sha1_hash": "6426a0cedf167146e1b0fa100f6f1a8151822548",
	"title": "Retefe banking Trojan leverages EternalBlue exploit in Swiss campaigns | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 921194,
	"plain_text": "Retefe banking Trojan leverages EternalBlue exploit in Swiss\r\ncampaigns | Proofpoint US\r\nBy September 21, 2017 Proofpoint Staff\r\nPublished: 2017-09-21 · Archived: 2026-04-05 13:13:39 UTC\r\nOverview\r\nThe Retefe banking Trojan has historically targeted Austria, Sweden, Switzerland and Japan, and we have also\r\nobserved it targeting banking sites in the United Kingdom. While it has never reached the scale or notoriety of\r\nbetter-known banking Trojans such as Dridex or Zeus, it is notable for its consistent regional focus, and interesting\r\nimplementation. To these it  recently added the use of the EternalBlue exploit -- made famous in the May\r\nWannaCry ransomware outbreak -- for internal network traversal after initial infection.\r\nUnlike Dridex or other banking Trojans that rely on webinjects to hijack online banking sessions, Retefe operates\r\nby routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network.\r\nWe previously discussed Retefe in relation to German-language lures targeting Austrian and Swiss online banking\r\nusers and outlined the role of proxies in compromising victims:\r\nFigure 1: Overview of proxy injection used by Retefe\r\nDespite being relatively unknown outside its normally targeted regions, Retefe is in fact a malware family with an\r\nextensive history, as outlined in an overview of Retefe activity published by the Swiss Government Computer\r\nhttps://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns\r\nPage 1 of 7\n\nEmergency Response Team (GovCERT.ch).\r\nIn recent months, Retefe has generally been delivered in malicious unsolicited email campaigns containing\r\nMicrosoft Office document attachments. The attachments contain embedded Package Shell Objects, or OLE\r\nObjects, that are typically Windows Shortcut “.lnk” files. The attachments also contain an image and text\r\nencouraging the user to click on the shortcuts to run them (Figure 2). Some recent campaigns have also featured\r\nmalicious macros instead of Package Shell Objects.\r\nFigure 2: Retefe Microsoft Word attachment\r\nIf the user opens the shortcut and accepts the security warning that appears (Figure 3), the PowerShell command\r\ncontained in the LNK downloads an executable payload hosted on a remote server. This server may be under\r\nthreat actor control or, in some cases, a public cloud filesharing or collaboration platform such as Dropbox. The\r\npayloads in recent campaigns are self-extracting Zip archives.\r\nhttps://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns\r\nPage 2 of 7\n\nFigure 3: Windows shortcut warning when users attempt to open the shortcut\r\nAs noted, the downloaded executable is a self-extracting Zip that contains a multiply-obfuscated JavaScript\r\ninstaller. A deobfuscated example of the installer code is shown in Figure 4:\r\nFigure 4: Deobfuscated JavaScript installer\r\nSeveral parameters are set within the “Cfg” session:\r\nhttps://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns\r\nPage 3 of 7\n\n“dl:” - a list of proxy servers hosted in TOR \r\n“cert:” -  a (Base64-encoded) fake root certificate\r\n“ps:” - certificate installation script for Internet Explorer\r\n“psf:” - certificate installation script for Firefox\r\n“pstp:” - a script that downloads and installs TOR and other utilities\r\n“pseb:” - a script that implements the EternalBlue exploit in order to spread laterally\r\nAs noted above, Retefe relies on proxy servers to intercept and modify banking traffic for infected users. These\r\nproxies generally reside on TOR servers set in the “dl:” parameter, while the “pstp:” parameter above installs TOR\r\non infected computers. However, the “pstp:” is missing in some samples and the Retefe group has used TOR-to-web proxies, Proxifier, and Obfs4proxy as in the past in addition to installing TOR.\r\nWe first observed the “pseb:” parameter on September 5. The “pseb:” configuration implements the EternalBlue\r\nexploit, borrowing most of its code from a publicly available proof-of-concept posted on GitHub. It also contains\r\nfunctionality to log the installation and victim configuration details, uploading them to an FTP server. On\r\nSeptember 20, the “pseb:” section had been replaced with a new “pslog:” section that contained only the logging\r\nfunctions.\r\nDecoding the “pseb:” section produces the code shown in Figure 5. The payload configuration for EternalBlue in\r\nthis implementation is shown in Figure 6.\r\nFigure 5: EternalBlue (and logging) script start\r\nhttps://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns\r\nPage 4 of 7\n\nFigure 6: EternalBlue payload configuration\r\nFigure 7 shows the decoded payload string invoked by the shellcode:\r\nFigure 7: Decoded EternalBlue payload string\r\nIn turn, decoding this payload string reveals a PowerShell command (Figure 8):\r\nFigure 8: Decoded EternalBlue payload PowerShell command\r\nThe EternalBlue exploit thus downloads a PowerShell script from a remote server, which itself includes an\r\nembedded executable that installs Retefe. This installation, however, lacks the the “pseb:” module responsible for\r\nfurther lateral spread via EternalBlue, thus avoiding an infinite spreading loop.\r\nRetefe also distributed versions of this malware that were compatible with Mac OS between June and August of\r\nthis year.\r\nConclusion\r\nThe group distributing Retefe has been active since 2013 and continues to refine their attack vectors and\r\ntechniques. While far less widespread than other banking Trojans like Dridex or The Trick, the focus on Swiss\r\nbanks provides the Retefe group with potential high-profile targets. In addition, we are observing increasingly\r\ntargeted attacks from this group, that, with the addition of the EternalBlue exploit, creates opportunities for\r\neffective propagation within networks once initial targets have been compromised. It should also be noted that, in\r\nhttps://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns\r\nPage 5 of 7\n\nthe context of WannaCry and the incorporation of the EternalBlue exploit in The Trick banking Trojan as well, it\r\nis possible that the addition of limited network propagation capabilities may represent an emerging trend for the\r\nthreat landscape as 2018 approaches.\r\nAs always, organizations should ensure that they are fully patched against the EternalBlue exploit of the\r\nvulnerability CVE-2017-0144. They should also block associated traffic in IDS systems and firewalls and block\r\nmalicious messages (the primary vector for Retefe) at the email gateway.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n3bac3c29edab0da2f38f9f94f58ebdb05726692a8fd3b46cacd3be3db92c0599 SHA256 Document\r\nhxxp://comos[.]nl/plqvbib[.]exe URL\r\nDocument\r\nPayload\r\nhxxp://sergiocarfagna[.]it/ltoshtq[.]exe URL\r\nDocument\r\nPayload\r\nhxxp://miguelangeltrabado[.]com/ktlbcws[.]exe URL\r\nDocument\r\nPayload\r\nhxxp://ryanbaptistchurch[.]com/thrtvyw[.]exe URL\r\nDocument\r\nPayload\r\nhxxp://fusionres[.]com/tbkaokb[.]exe URL\r\nDocument\r\nPayload\r\nhxxp://firesafeinnovations[.]com/tefacbr[.]exe URL\r\nDocument\r\nPayload\r\n750ac54eee8d6e6d6103e8e08bf80e6464479ec6544af1fde2b140344824b260 SHA256 Retefe\r\nhttps://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns\r\nPage 6 of 7\n\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\AutoConfigURL: \"hxxp[:]//127.0.0[.]1:5555/{0}.js?ip={1}\" where {0}\r\nis 8 random characters and {1} is the victim IP\r\nRegistry\r\nkey\r\nProxy Auto-Config\r\n(Proxy-PAC)\r\nkglzmp3sciyy5jd2[.]onion Domain Retefe C\u0026C\r\nsns5pd4byx66pus7[.]onion Domain Retefe C\u0026C\r\n2x7ckit4niyqgf7g[.]onion Domain Retefe C\u0026C\r\npkyi7umdsawhd2jf[.]onion Domain Retefe C\u0026C\r\nhxxp://karinart[.]de/css/0FgYsvuX9V445592[.]ps1 URL EB Payload\r\n8f656162808a1debb322563ce732d72ddc5463ce389c40c760ecd29a5d7cdd12 SHA256\r\nRetefe\r\nPowerShell\r\nET and ETPRO Suricata/Snort Signatures\r\n2018789          ET POLICY TLS possible TOR SSL traffic\r\n2021997          ET POLICY External IP Lookup\r\n2522230          ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group\r\nSource: https://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns\r\nhttps://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns"
	],
	"report_names": [
		"retefe-banking-trojan-leverages-eternalblue-exploit-swiss-campaigns"
	],
	"threat_actors": [
		{
			"id": "a8fba3fa-62bf-4fdb-92bb-29aa6375b92d",
			"created_at": "2024-02-08T02:00:04.329621Z",
			"updated_at": "2026-04-10T02:00:03.585503Z",
			"deleted_at": null,
			"main_name": "Operation Emmental",
			"aliases": [
				"Retefe Gang",
				"Retefe Group"
			],
			"source_name": "MISPGALAXY:Operation Emmental",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434665,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6426a0cedf167146e1b0fa100f6f1a8151822548.pdf",
		"text": "https://archive.orkl.eu/6426a0cedf167146e1b0fa100f6f1a8151822548.txt",
		"img": "https://archive.orkl.eu/6426a0cedf167146e1b0fa100f6f1a8151822548.jpg"
	}
}