03 May 19, 18:50
Quote:Researchers have noticed a recent upswing in attacks against banks featuring the Retefe banking trojan, following what was apparently a fairly quiet 2018 for the malware.
The trojan is historically known for targeting the banking industry in countries like Austria, Sweden, Switzerland and the UK. Rather than using malicious web injects to execute man-in-the-browser attacks — like many banking trojans do — it victimizes users by using a proxy to route online traffic intended for legitimate banking websites to malicious sites instead.
In April 2019, the malware began focusing its efforts on Swiss and German online banking customers using either Windows- or macOS-based machines, according to a blog post published today by the Proofpoint Threat Insight Team and company researcher Bryan Campbell.
This latest campaign changes some of the malware’s functionality as well. For instance, instead of using TOR for its proxy redirection and command-and-control set-up, Retefe uses Stunnel, an open-source application that acts as a proxy and universal TLS/SSL tunneling service.
“It is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes,” Proofpoint surmises in the blog post. “Tor is also a ‘noisier’ protocol and thus would be easier to detect in an enterprise environment than Stunnel, which would appear as any other outbound SSL connection.”
SOURCE: https://www.scmagazine.com/home/security...__trashed/
![[-]](https://www.geeks.fyi/images/collapse.png)
