There is a change in the spreading strategy of Retefe Banking Trojan in October 2017 while targeting Swiss users.
Earlier in September 2017, we observed it being spread through LNK files embedded in the Documents.
Attack Flow in September 2017 -> Doc -> LNK -> powershell -> Retefe
However, in the second week of October 2017, it is being spread through Macro based Documents:
Attack flow in October 2017 -> Doc -> Macro -> powershell -> Retefe
Filename Pattern for the Documents sent in the campaign: Dokument_<digits>_mm_dd_yyyy.doc
More details here: Neutralize Cyber Threats: Retefe Updates Spreading Mechanism in Oct 2017
Earlier in September 2017, we observed it being spread through LNK files embedded in the Documents.
Attack Flow in September 2017 -> Doc -> LNK -> powershell -> Retefe
However, in the second week of October 2017, it is being spread through Macro based Documents:
Attack flow in October 2017 -> Doc -> Macro -> powershell -> Retefe
Filename Pattern for the Documents sent in the campaign: Dokument_<digits>_mm_dd_yyyy.doc
More details here: Neutralize Cyber Threats: Retefe Updates Spreading Mechanism in Oct 2017
