Why the most successful Retefe spam campaign never paid off

Switzerland is one of the main targets of the Retefe banking trojan since its first appearance in November 2013. At that time, it changed the local DNS resolver on the computer (See also blog post “Retefe Bankentrojaner” in German only). Almost a year went by until they changed to the still current approach of setting a proxy auto-config (PAC) URL (See also blog post “The Retefe banking Trojan has targeted Switzerland“). To understand the story of this blog post, it helps to understand the modus operandi of the Retefe malware. We recommend you read up on it on our blog links posted above if you are not familiar with it.

While the Retefe actors are constantly changing tactics, for example their newest campaigns also target Mac OS X users, their malware still works the same. One of notable changes was the introduction of Tor in 2016. At first, they started using Tor gateway domain names such as onion.to, onion.link within the proxy auto-config URLs, later on they switched to Tor completely. The advantage of using Tor is of course, anonymity and the difficulty to block or take down the infrastructure.

Onion domain names don’t use DNS or do they?
The Tor network can use .onion domain names but these names are not resolved over DNS but instead work only in the Tor network. RFC 7686 (The “.onion” Special-Use Domain Name) goes into more details on the special case of .onion domain names. However, the fact is that .onion domain names do leak into the DNS system. For potential reasons and more information on this subject we recommend the paper by Versign Labs “Measuring the Leakage of Onion at the Root” (PDF).

We are operating DNS resolvers for the Swiss universities and also provide a DNS Firewall service . For universities which run their own DNS resolver but use our DNS Firewall service we get telemetry data of hits to malicious domain names listed in our DNS Firewall service. We have started monitoring .onion domain names which leak into DNS and were surprised by the amount of leaked queries:

Timechart showing the number of leaked .onion domain names for our DNS Firewall customers.

Of course, all these .onion domain name lookups are answered with NXDOMAIN as .onion is not delegated in the DNS root zone.

Origin of .onion domain name leakage
At least for our customers the vast amount of leaked .onion domain names can be attributed to the Retefe malware. We have been monitoring Retefe for years and kept track of the .onion domain names used in proxy auto-config (PAC) URLs, ever since.

Timechart showing the attribution of the .onion domain names. Yellow: can be attributed to Retefe, Blue: is unknown.

It would have been a severe Tor application failure, if active or working .onion domain names leak regularly into DNS. As it turns out, all the leaked .onion domain names which we see for Retefe are for .onion domain names which are not active anymore. If you try to access such a Tor .onion domain name, you receive the error: “Transport endpoint is not connected“. So, the reason we are seeing these queries is because the Retefe operator have given up these .onion domain names. Retefe tends to introduce new .onion domain names in new spam campaigns. The Retefe malware also generally comes with no update mechanism. After a period of time where no more infected clients fall victim to the Retefe fraud schema it’s a logical business decision to stop operating the infrastructure (in this case old .onion domain names) if you cannot monetize it anymore.

If we look at the distribution of the looked up .onion domain names. One .onion domain name stands out which accounts for 60% of all domain lookups!

Distribution of the looked up .onion domain names.

This is interesting because as we have mentioned above, we can look back at the Retefe spam campaigns which used this .onion domain name. There is another hint which points to the same spam campaign. If we look at which users are infected with this .onion domain name in our data, we see that more then 98% of the users are from the French speaking part of Switzerland.

Most successful Retefe spam campaign
I don’t reveal any secrets, which the Retefe actors don’t know already as they can keep track of infected clients (in fact they know the client IP address and browser user-agent, browser language). It turns out, that the most successful spam campaign was the first written in French starting on the 28th November 2016.

First Retefe spam campaign in French with a spoofed email to look like it came from the national railway company of Switzerland.

The modus operandi for fraud incidents depends on misleading the user and social engineering. First, the user is redirected to a fake banking website because of the proxy auto-config (PAC). Once on the login page and after entering it’s login credentials, the user is prompted with a security notice where he has to enter his phone number. The threat actors cannot login on the victim’s bank account as it is protected by strong authentication (two-factor authentication). The fraud schema, which the attackers apply, is to call up on the victim to do a “test” payment. (See also notice from MELANI in DE , FR, IT).

Screenshot showing the fake Retefe login page for a bank in the French speaking part of Switzerland.

So, why is this the biggest failed Retefe spam campaign ever? If you look at the screenshot closely, you will notice that the security notice is shown in German language only (even for a web browser with French language preferences and for visiting a banking website in the French speaking part of Switzerland). The reason for this is not that they cannot translate this security notice into French, they have done that for their French spam campaign too. The reason it is in German is because their social engineering staff likely only speaks German (or English).

There has been no other French speaking Retefe malware campaign in Switzerland ever since. So, the next time you get a suspicious call from your bank, just pretend you only speak French.

%d bloggers like this: