{
	"id": "c61809a2-b832-413c-bb42-e8fb2d58f542",
	"created_at": "2026-04-06T01:29:47.616739Z",
	"updated_at": "2026-04-10T03:21:53.114088Z",
	"deleted_at": null,
	"sha1_hash": "d0a83a33931bfd34f3520dc268a961be2848825a",
	"title": "EternalBlue Exploit Used in Retefe Banking Trojan Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36491,
	"plain_text": "EternalBlue Exploit Used in Retefe Banking Trojan Campaign\r\nBy Tom Spring\r\nPublished: 2017-09-22 · Archived: 2026-04-06 00:18:22 UTC\r\nBanking Trojan Retefe is adopting new WannaCry tricks, adding an EternalBlue module to propagate the\r\nmalware.\r\nCriminals behind the Retefe banking Trojan have added a new component to their malware that uses the NSA\r\nexploit EternalBlue.\r\nThe update makes Retefe the latest malware family to adopt the SMBv1 attack against a patched Windows\r\nvulnerability, and could signal an emerging trend, said researchers at Proofpoint. Earlier this year, researchers at\r\nFlashpoint observed the TrickBot banking Trojan had added an EternalBlue module as well.\r\nWhile Retefe has never reached the scale or reputation of similar Trojans such as Dridex or Zeus, it is notable for\r\nits interesting implementations and consistent regional focus in Austria, Sweden, Switzerland, Japan and more\r\nrecently the United Kingdom, researchers said.\r\n“Unlike Dridex or other banking Trojans that rely on webinjects to hijack online banking sessions, Retefe operates\r\nby routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR\r\nnetwork,” said Proofpoint in a technical post Thursday explaining its research.\r\nOver the past several months, researchers have observed a wave of new Retefe campaigns consisting of\r\nunsolicited emails containing malicious Microsoft Office documents. Attachments contain embedded Package\r\nShell Objects, or Object Linking and Embedding Objects, that are typically Windows Shortcut “.lnk” files,\r\nresearchers said.\r\nIf the user opens the shortcut and accepts the security warning that appears, a PowerShell command initiates the\r\ndownload of a self-extracting Zip archive hosted on a remote server. The Zip archive contains an obfuscated\r\nJavaScript installer.\r\nWhen researchers de-obfuscated the JavaScript installer they found several configuration session parameters. In\r\nrecent weeks, researchers said, a “pseb:” parameter has been added which references a script that implements the\r\nEternalBlue exploit that can be used to spread laterally within targeted networks.\r\n“We first observed the ‘pseb:’ parameter on Sept. 5. The ‘pseb:’ configuration implements the EternalBlue exploit,\r\nborrowing most of its code from a publicly available proof-of-concept,” researchers wrote.\r\nProofpoint said the ExternalBlue parameter used by the adversary also contains functionality to log the installation\r\nand victim configuration details and uploads data to an FTP server.\r\nThe payload configuration for this implementation of EternalBlue downloads a PowerShell script from a remote\r\nserver, which includes an embedded executable that installs Retefe, researchers said.\r\nhttps://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/\r\nPage 1 of 2\n\n“We are observing increasingly targeted attacks from this group, that, with the addition of the EternalBlue exploit,\r\ncreates opportunities for effective propagation within networks once initial targets have been compromised,”\r\nProofpoint wrote.\r\nResearchers note,  on Sept.20, the “pseb:” section had been replaced with a new “pslog:” section that contained\r\nonly the EternalBlue logging functions. “This installation, however, lacks the the ‘pseb:’ module responsible for\r\nfurther lateral spread via EternalBlue, thus avoiding an infinite spreading loop,” they said.\r\nResearchers urge companies to ensure that they are fully patched against the EternalBlue vulnerability (CVE-2017-0144). “Companies should also block associated traffic in IDS systems and firewalls and block malicious\r\nmessages (the primary vector for Retefe) at the email gateway,” Proofpoint added.\r\nSource: https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/\r\nhttps://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/"
	],
	"report_names": [
		"128103"
	],
	"threat_actors": [],
	"ts_created_at": 1775438987,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0a83a33931bfd34f3520dc268a961be2848825a.pdf",
		"text": "https://archive.orkl.eu/d0a83a33931bfd34f3520dc268a961be2848825a.txt",
		"img": "https://archive.orkl.eu/d0a83a33931bfd34f3520dc268a961be2848825a.jpg"
	}
}