The malware has new tricks, like using the stunnel encrypted tunneling mechanism and abusing a legitimate shareware app.
The Retefe banking trojan resurfaced in April after going dormant for months, with a makeover that includes a move away from Tor to secure its communications as well as the abuse of a legitimate shareware application.
Retefe has always stood out from other banking trojans, with a consistent regional focus in Austria, Sweden, Switzerland, Japan and the United Kingdom, researchers said, as well as its penchant for eschewing web injection as its attack vector.
“Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking trojans,” Proofpoint researchers said in
a technical post on Thursday, analyzing the trojan’s reemergence.
