Trojan:Win32/Retefe.A has been used in a number of targeted attacks. We have seen it used in various forms, including packed with UPX, and protected by custom packers to deter detection by security products.
It is usually distributed by targeted email phishing attacks. The phishing email tries to look like it comes from a legitimate company, such as that shown below.
When the attached file is run by the victim, Trojan:Win32/Retefe.A is downloaded and installed to %ALLUSERSPROFILE%. We have seen it use the file name netupdater.exe.
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Malware name>"
With data: "%ALLUSERSPROFILE%.\<Malware Name>.exe"
To remain undetected Trojan:Win32/Retefe.A can show a message window suggesting an update needs to be installed when it needs to run as administrator. The malware can use a message in different languages, including German and English.
Steals sensitive information
Trojan:Win32/Retefe.A can steal sensitive information from your PC, such as your online user names and passwords. It does this by installing a fake self-signed certificate and intercepting traffic through your Internet browser.
It installs a fake self-signed certificate with the thumbprint 3DDF56A7004D90034D77E2D97F68C56FAA3C93AD:
It then installs the self-signed certificate to be used by the Firefox browser.
It also changes the DNS server to an IP address of a server controlled by the attacker. We have seen the following IP addresses being used:
Trojan:Win32/Retefe.A terminates the following processes if they are running:
Analysis by Daniel Radu