{
	"id": "30a122fd-695f-4a1b-8693-106157b5f987",
	"created_at": "2026-04-06T00:10:17.654297Z",
	"updated_at": "2026-04-10T03:21:07.589644Z",
	"deleted_at": null,
	"sha1_hash": "78202fb059c1954350f69622f7cfe81db8966098",
	"title": "The evolution of the Retefe banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 271916,
	"plain_text": "The evolution of the Retefe banking Trojan\r\nBy Jaromír Hořejší 18 Jul 2016\r\nArchived: 2026-04-02 11:20:25 UTC\r\nThe Retefe Trojan is now also targeting Smile banking customers. The Trojan has evolved and includes new\r\nmalicious components.\r\nThree weeks ago, we published a blog post about the Retefe banking Trojan, which targeted banking customers in\r\nthe United Kingdom. The Trojan steals login credentials and other personal information. Retefe is usually spread\r\nvia a phishing email. The email contains a document, which is embedded with malicious JavaScript and user\r\ninteraction is needed to activate the Trojan.\r\nAnother UK bank, the Smile online bank, has recently been added to the list of affected banks.\r\nThe main behavior of the Trojan has largely remained unchanged, with the exception of its malicious components.\r\nThe infection vector, as well as the installation of the malicious certificate, are the same as we reported in our last\r\nblog post.\r\nOnce the JavaScript runs it attempts to kill open Web browser processes. It then installs a fake certificate and\r\nchanges the proxy auto-config URL. All scripts are obfuscated with the Dean Edwards packer. This behavior is\r\nsimilar to the previous version of Retefe.\r\nThe JavaScript, however, now contains three powershell scripts, two of which are the same as in the previous\r\nversion. ConfirmCert clicks “OK” in the window displayed during the installation of the rogue certificate and\r\nAddCertFF adds the rogue certificate to FireFox. InstallTP is the new powershell script. It downloads and installs\r\nthree programs: Task Scheduler wrapper, Tor and Proxifier.\r\nThe Task Scheduler Managed Wrapper is downloaded from Codeplex. This adds the option to use the object\r\n“New-Object Microsoft.Win32.TaskScheduler.TaskService”, which is later used for establishing persistence.\r\nThe Tor client gives the Trojan the possibility to access .onion domains directly.\r\nProxifier, as stated on their website, “allows network applications that do not support working through proxy\r\nservers to operate through a SOCKS or HTTPS proxy and chains.”.\r\nThe AutoConfigURL contains a link to a .onion domain and it can be reached now because Tor was, installed.\r\nhttps://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nPage 1 of 8\n\nThe Tor client is a console application and, if executed normally, it’s console window can be  seen by the user.\r\nHowever, the victim can’t see the window on an infected machine, because Tor’s window is hidden. Retefe calls\r\nShowWindow with the parameter nCmdShow set to value SW_HIDE, thus hiding the window from the victim.\r\nSimilar to the previous version of Retefe, proxy configuration is served only to systems with UK IP addresses. If\r\nany of the previous banks or the newly added bank are accessed, the traffic is routed via malicious proxy. This\r\nproxy is hidden behind Tor, as can be seen below.\r\nhttps://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nPage 2 of 8\n\nWhen a user visits one of the websites from the list of targeted websites, the site’s certificate is replaced with a\r\nfake. This allows attackers to camouflage the infection and to get the victim's login credentials. Below you can see\r\na fake version of the of Smile bank website, which has been added with this version of the Trojan.\r\nhttps://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nPage 3 of 8\n\nFake Smile banking website\r\nFake Smile banking website\r\nFake Smile banking website\r\nhttps://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nPage 4 of 8\n\nFake Smile banking website certificate\r\nThe newly added powershell script, InstallTP  adds persistence. We can see two malicious tasks in the Task\r\nScheduler. They are  “AdobeFlashPlayerUpdate” and “GoogleUpdate Task” tasks, which are executed every 30\r\nminutes and execute both Tor and Proxifier. Even if the user were to stop them, they would restart again in 30\r\nminutes.\r\nhttps://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nPage 5 of 8\n\nProxifier allows all traffic to run through a Tor proxy running on a localhost on port 9050. It can specify, which\r\ntargets should be accessed via proxy and which ones should be accessed directly.\r\nhttps://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nPage 6 of 8\n\nFor example, when we visit api.ipify.org it shows us that our IP address was not changed (Action: Direct) and is\r\nstill located in UK, but when we go to whatismyip.com it shows us a slightly different results.\r\nhttps://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nPage 7 of 8\n\nWhen we looked into the setting file, we found that the attackers are using a cracked version of Proxifier.\r\nWe assume this is not the last time we will be seeing the Retefe banking Trojan evolve, not only in the UK, but\r\nalso globally. The biggest danger of attacks using fake certificates, is convincing users that they are completely\r\nsafe, because of valid HTTPS certificates are used.\r\nSHAs:\r\n03E6A87CC90BD5A8B2EB2E4B6C3D8201B8DC7E7A89FF8A6AA05E9539146FD1AF\r\n347701FAF633D1EDAAA630BA1D3652F13D6097C3855B91C14551390F4C56096F\r\n3944686BEDEA78C498BFCF0431DE509EE118C0CC95DA07402B12E4C954F1A125\r\n6308623E0CF994FC14F8F483A840E0E28428D510CDFC4F07992E40B3F2C77FF4\r\n6B1869D8C1BB898BAC91220823AE80D770D9591DA60EE919FCA0A588D994DFA6\r\n821EBC34F86BFF680E4AACEA40FDACECB3B45B3BE9D231EF9AC261FA2FDC7549\r\nC6E0FC6B084443A0B5D18778F93EE9EBFB7758435BAEEF284F2835552DD641EB\r\nCE549E89D46BD5657809A129C9C02BAEE934F91888A18928F387942F156429EC\r\nCE55C12B504DFF52867F59FAD40C3EED4A4D0CA10A33B3FF3E3BE1039F86B67E\r\nD1C0661E19AB3EDEA209EEFEAC38904FC0D5264F065EB9E769598A55DB938908\r\nAcknowledgement:\r\nSpecial thanks to my colleague, Jan Sirmer, for his cooperation on this analysis.\r\nSource: https://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nhttps://blog.avast.com/the-evolution-of-the-retefe-banking-trojan\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.avast.com/the-evolution-of-the-retefe-banking-trojan"
	],
	"report_names": [
		"the-evolution-of-the-retefe-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78202fb059c1954350f69622f7cfe81db8966098.pdf",
		"text": "https://archive.orkl.eu/78202fb059c1954350f69622f7cfe81db8966098.txt",
		"img": "https://archive.orkl.eu/78202fb059c1954350f69622f7cfe81db8966098.jpg"
	}
}