UK banking customers targeted with Retefe Trojan with MitM capabilities

UK users are the latest targets of cyber crooks leveraging the Retefe banking Trojan and a rogue root certificate.

The malware is out to steal online banking credentials of customers of several UK banks – Barclays, HSBC, NatWest, Santander, Ulster Bank, Tesco bank, etc. – but also other account login credentials for sites with “.com” and “” domains:

Retefe changes proxy auto-config settings

The attack starts with unsolicited emails carrying what looks like a regular document but contains an embedded malicious JavaScript. Users are urged to click on the document to peruse it, but this action triggers the script, and it shuts down open web browsers, installs a malicious certificate, and changes the proxy auto-config settings to link to a website on the Tor anonymity network.

Usually, users would have to confirm the installation of such a certificate, but the crooks decided to automate the process with a powershell script.

The victims only see the prompt for a few seconds, and then it’s gone.

Fake root certificate

The pop up says that the root certificate is from Comodo CA, but that’s a lie. The truth is that the certificate was issued by a suspicious issuer. Unfortunately, once the certificate has been admitted on the system, the system (and the browser) will trust any certificate signed with it, for any website.

When the victims visit their bank’s online banking website, they will be seamlessly redirected through the malicious proxy to a fake one. Every piece of information – whether login credentials or personal info – submitted to the site will pass through the proxy, and the criminals are able to see it and collect it.

In the meantime, the padlock in the address bar will be green, as the attackers issued a valid certificate signed with the above mentioned rogue root certificate, and the system will flag it as trusted.

“This type of malware is a serious threat for unaware users, because most people trust the certificate signs on HTTPS sites and, therefore, do not verify the certificate’s issuer. This makes it easy for the Retefe banker Trojan to steal important data and money,” Avast researchers pointed out.

The banks whose customers are targeted have been warning them of this active campaign, but chances are many users got infected, their info stolen and misused, and possibly their account pilfered.

So beware of unsolicited email, iffy attachments, and unexpected root certificates being installed on your computer without your permission.

Don't miss