Trojan uses NSA EtneralBlue exploit to hijack computers for new ransomware campaign targeting unpatched
Hackers behind the Retefe malware have added the NSA EternalBlue exploit to the malware to help them spread the malware beyond the initial infection and into a victim network.
Researchers at Proofpoint said that the addition of limited network propagation capabilities may represent an “emerging trend for the threat landscape as 2018 approaches”.
In a blog post, researchers said that while Retefe has never reached the scale or notoriety of better-known banking Trojans such as Dridex or Zeus, it is notable for its consistent regional focus, and interesting implementation.
“Unlike Dridex or other banking trojans that rely on webinjects to hijack online banking sessions, Retefe operates by routing traffic to and from the targeted banks through various proxy servers, often hosted on the TOR network,” said researchers.
Researchers said that in recent months, Retefe has generally been delivered in malicious unsolicited email campaigns containing Microsoft Office document attachments. These attachments contain embedded Package Shell Objects, or OLE Objects, that are typically Windows Shortcut “.lnk” files.
To read the original article: