For antimalware products, targeted attacks represent a very interesting class of malware. They are stealthy and only target specific organizations and industries - flying under the radar when it comes to identifying new malware files based on telemetry. The purpose of these attacks is most commonly to steal confidential and sensitive information by means of social engineering and unpatched, vulnerable software.

We recently investigated a sample used in this kind of attack, Trojan:Win32/Retefe.A, and wanted to share with you what we encountered and possible ways to avoid being infected from similar approaches.

Our analysis began when we investigated an RTF document flagged as suspicious due to its inclusion in what looked like a phishing email:

Suspicious RTF doc 

Figure 1: RTF document attached to phishing email

The email sender was spoofed by the attackers to appear as a large e-commerce company. The message is in German and is translated as “The receipt, from your Zalando Switzerland team”. Another reason for flagging the email as phishing was due to the sentence structure – it seems to be the result of an automated translation tool.

When a user attempts to open the RTF document they get the following warning from Outlook:

Outlook warning 

Figure 2: An attempt to open the RTF prompts an Outlook warning

At this point we were thinking that the RTF might contain a vulnerability that would be triggered when opening the file. However, when it was opened the document showed no indication that it contained an exploit – it just displays a small document:

small document 

Figure 3: The attachment opens a small document

Again the text is in German and translates as “To see the receipt, double click on the image”. At this point it was obvious we were dealing with a social engineering attack. The attacker is asking the victim to execute the malware willingly on their machine. Even at this point the user would see a warning message about the risks taken when executing an unknown attachment:

Warning message 

Figure 4: Security warning when attempting to open suspicious attachment

The file, which is executed if the user proceeds and clicks Open, is a Control Panel Applet (CPL). Its purpose is to establish a network connection to a malicious server and download the payload file. This particular CPL file tried to download its payload from www.ent<removed>.ch/n.exe.

At the time of our investigation the file was no longer available, but since this was not the only attempt the bad guys have made, we were able to retrieve the payload from a URL used in similar attacks: www.<removed>-club.ch/n.exe

We detect payload as Trojan:Win32/Retefe.A.

The file name of the RTF document is not consistent throughout all attacks. We have seen other names used that follow a similar pattern as those below:

  • 2379F939.rtf
  • O442Z4nV.rtf    
  • Quittung 05-02.14.rtf
  • Quittung 2014.05.02.rtf
  • uozohS+K.rtf
  • uvsWuIaY.rtf
  • vMtz+mFA.rtf
  • YdBoUSiG.rtf
  • YgRUlKut.rtf

We’ve also observed variations where the RTF document was replaced by a .DOC file following the same infection strategy. The file names used are similar, for example:

  • Quittung 2014.05.02.doc
  • Quittung 05-02.14.doc
  • unnamed.doc

The document can also be embeded in an archive from which the user needs to extract the .RTF or .DOC file. Example file names include:

  • A1 Rechnung #13784126 von 05-02-2014.zip
  • A1 Rechnung #746537 von 050214.zip
  • Ihre Bestellung #83919469  vom 03022014.zip
  • Ihre Bestellung  N9397351  vom 0402-14.zip

Trojan:Win32/Retefe.A also displays a window where it informs the user that they need to install an “update” and advises them to click “Yes” when the UAC window is displayed. This is another layer of social engineering to trick the user and avoid making them suspicious. The message even shows which button to press in the UAC, and can appear in English or German depending on the computer locale.

English 

Figure 5: Further social engineering from Trojan:Win32/Retefe.A advises the user to run the malware

Engineering script 

Figure 6: The strings encountered in the binary of the social engineering message

As shown above, threats such as Trojan:Win32/Retefe.A use multiple techniques to encourage users to run the malicious file. The user also receives numerous warning about the danger of proceeding. Despite these warning we still have reports of this threat running on machines - primarily in German speaking countries. Running an up-to-date, real-time security product, such as Microsoft Security Essentials, can help protect your PC from this type of malicious threat. However, the best form of defence is to avoid these malicious files from running in the first place. The easiest way to do this is to educate users on the risk of opening unsolicited email attaments and recognising a phising email.

Reference files:

Downloaded file:

  • SHA1: 0e832c750e445484494923ce5e2e385cc73a4df1
  • MD5: aa19c341970a39bac50eabf634b6262d
  • Detected : Trojan:Win32/Retefe.A

CPL file:

  • SHA1: 3b86362334fce7e339f2fd36901eb30043b9481d
  • MD5: 26e2ef85182c0e14a90e1108ab6f644f
  • Detected : TrojanDownloader:Win32/Retefe.A


MMPC Munich