What is Retefe malware?
Retefe (detected by ESET as JS/Retefe) is usually spread as an email attachment pretending to be an order, invoice or similar file. It executes a Powershell script which modifies browser proxy settings and installs a malicious root certificate which claims to be issued by a well-known certification authority, Comodo. (Some variants may also install Tor and Proxifier, and schedule them to be launched automatically through the Task Scheduler).
The result of these techniques is a Man-in-the-Middle attack, where the infected user makes a connection to an online banking webpage that matches the list in the configuration file of Retefe. The malware modifies the banking webpage displayed to the user. Subsequently, it attempts to harvest logon credentials and – in some cases – tries to trick the user into installing the mobile component of the malware (detected by ESET as Android/Spy.Banker.EZ). This mobile component is used to bypass two-factor authentication via mTANs.
All major browsers, including Internet Explorer, Mozilla Firefox and Google Chrome, are affected. You can find more details on our blog WeLiveSecurity.com.
Is my computer infected?
You can check your computer for Retefe indicators of compromise:
Manually
or by using
ESET’s automated Retefe Checker
What should I do if my computer is infected by Retefe?
- 1 If you are using any of the services from the list of targets below, change your logon credentials as well as check for suspicious activity (e.g. for fraudulent transactions in your online banking).
- 2 Remove the Proxy Automatic Configuration script (PAC):
- 3 Delete the above mentioned certificate.
- 4 For proactive protection use reliable security solution with dedicated banking and payment protection.
And don’t forget to protect your Android device as well.