Cybercriminals operating the Retefe banking Trojan have added a new feature to the malware, launching a fresh wave of attacks. The hackers behind the malware have added the leaked NSA EternalBlue exploit that helped propagate the massive WannaCry ransomware epidemic in May.
Although Retefe isn't as notorious as other banking Trojans such as Dridex and TrickBot, the malware has been active since 2013 and has previously targeted banks in the UK, Sweden, Austria, Switzerland and Japan. Security experts have observed a new phishing campaign targeting Swiss banks, using malicious Microsoft Office documents to steal users' credentials and money.
"We are observing increasingly targeted attacks from this group, that, with the addition of the EternalBlue exploit, creates opportunities for effective propagation within networks once initial targets have been compromised," security experts at Proofpoint said in a blog.
Security experts say the EternalBlue exploit has since been swiftly adopted by cybercriminals looking to boost their malware's power. According to researchers at Falshpoint, yet another proliferate banking malware TrickBot has also added the EternalBlue exploit. Proofpoint researchers said the increasing adoption of network propagating features such as the EternalBlue exploit by cybercriminals "may represent an emerging trend for the threat landscape as 2018 approaches".
Ever since EternalBlue and other NSA exploits such as DoublePulsar were publicly leaked by the Shadow Brokers earlier in the year, the exploits have been leveraged by hackers in various cybercriminal campaigns. EternalBlue was also exploited by the Russian cyberespionage group Fancy Bear, widely believed to be responsible for the cyberattacks against the US Democratic Party during the 2016 presidential election.
"It's clear from this attack that popular exploits will be copied, shared and used by the attackers and why not? If it works why would you do extra work to create something new? The only reason to get more creative in attacks is if the old ones don't work anymore," Tony Rowan, chief security consultant at SentinelOne, told SC Magazine.
Retefe's adoption of EternalBlue also indicates that the cybercriminals operating the malware continue to constantly update the banking Trojan to likely widen their net of targets. Microsoft has already issued out patches for EternalBlue. Security experts recommend that organisations run a fully patched system to avoid falling victim to attacks leveraging the exploit.