Fake Swiss Tax Administration Office Emails Deliver Retefe Banking Trojan

PhishMe®’s Phishing Defence Centre has observed multiple emails with a subject line that includes a reference to tax declarations in Switzerland (Original subject in German: “Fragen zu der Einkommensteuerklaerung”) as shown in Figure 1. The sender pretends to be a tax officer working for the tax administration (Eidgenoessische Steuerverwaltung ESTV) and is asking the victim to open the attached file to answer questions about the tax declaration.

Figure 1 – Fake Tax Declaration Email

Attached to this email is a Word document named ESTV Dokument_593657_17_10_2017.doc (MD5: 1238275981104959492a0788d1e1eaf6). Filenames in this campaign follow the naming convention Dokument_{Digits}_DD_MM_YYYY.doc.

Opening this document prompts the user (in German) to enable macros, as shown in Figure 2.

Figure 2 – Word Document Prompting to Enable Macros

The macro launches PowerShell, which downloads the payload from one of the following URLs into AppData\Temp and renames it to 65536.exe (MD5: 360f53fa00b23d034133eadf3a3474df), as demonstrated by the PowerShell command referenced below.

Payload URLs:






After the payload has been retrieved, it is executed via PowerShell. The script drops the file gdwjlbweyofvtaxn.gdw (MD5: 426ae2e0ca32b47868e7e3b666241771) to C:\ProgramData and creates a subfolder in C:\ProgramData with a random string as the folder name. Within that folder, you can find three folders:

  • {RandomStrings}: Socat is copied into here
  • Data: Two GeoIP files (IPv4 and IPv6)
  • Tor: Tor is copied into here

The file gdwjlbweyofvtaxn.gdw contains JavaScript that, amongst other things, includes URLs of banking websites that are actively targeted with this campaign.

Furthermore, the PowerShell script downloads 7zip from hxxps://chocolatey[.]org/7za.exe and drops it into C:\ProgramData. The script then continues to download several files, starting with a TaskScheduler package from hxxps://api.nuget[.]org/packages/taskscheduler.2.5.23.nupkg, followed by TOR from hxxps://torproject.urown[.]net/dist/torbrowser/7.0.6/tor-win32-, and, lastly, Socat from hxxps://github.com/StudioEtrange/socat-windows/archive/ Tor and Socat are copied into the newly-created folder in C:\ProgramData\{Random Strings}

PowerShell creates three scheduled tasks with random names, all of which utilise mshta.exe from C:\Windows\System32 to execute commands. The first command that is executed as a scheduled task creates the object WScript.Shell and runs tor.exe with the following VB command:

The second scheduled task runs Socat and sets up a SOCKS proxy for Socat and Tor over port 5555 and a .onion address:

The third scheduled task executes the following PowerShell command:

This command forces an outbound connection to hxxp://api.ipify.org, home to a simple IP address API that is able to capture the IP address of the machine sending the query. It compares the IP address with the GeoIP files in C:\ProgramData\Data and tunnels the output to Socat on 127[.]0.0.1:5555.  The victim’s IP address is used in combination with 127[.]0.0.1. A registry entry is created at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL that includes the reference to the SOCKS proxy, combined with the IP address in the following form: hxxp//{0}.js?ip={1}, where 0 is the string of random characters the PowerShell script generated, and 1 is the IP address of the victim.

During installation, a .log file with the computer name as the file name is created and dropped into AppData\Temp. This file includes a summary of the installation steps taken by the PowerShell script as demonstrated in Figure 3.

Figure 3 – Log File in Temp Directory

Towards the end of the log file, we can find an interesting entry that varies, depending on whether Firefox is installed on the system. Figure 4 shows the end of the log file without Firefox installed, and Figure 5 shows the log file with Firefox installed.

Figure 4 – Log File without Firefox

Figure 5 – Log File with Firefox

As the log files suggest, if Firefox is installed on the system, the PowerShell script continues to install a certificate in Firefox. This is also demonstrated in the corresponding code shown in Figure 6.

Figure 6 – PowerShell Code to Detect Firefox and Install a Certificate

After installation of the malware is completed, the .log file is uploaded from AppData\Temp to the following FTP server: fxp://ns150.dynamixhost[.]com with IP 91[.]223.253.150.  No additional data is uploaded to the FTP server.

The malware described above has been identified as the Retefe Banking Trojan. Retefe has been around for many years but has never been able to reach the scale of other banking trojans such as Dridex or Zeus. The Trojan is geographically targeted and can mostly be found in Austria, Sweden, Switzerland, Japan, with some instances of Retefe observed in the United Kingdom. Retefe utilises Credential Phishing to steal victims’ banking information, rather than watching all traffic all the time. In the case of Retefe, a fraudulent certificate is installed. The proxy, that has been configured through PowerShell, detects when the victim tries to access a targeted banking site through the browser and redirects the user to a cloned website to phish the banking credentials. The credentials are then forwarded via the TOR network to a .onion Command and Control server.

To protect yourself from Banking Trojans such as Retefe, ensure that you do not open attachments or links until you have confirmed that they are genuine. Furthermore, ensure that your systems are up to date and fully patched. If you have identified a Trojan in your environment, you can use the indicators of compromise to block the associated IP addresses at your perimeter firewall and update other security devices in your environment to identify or block this threat.

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.




Indicators of Compromise

Word Document:

ESTV Dokument_593657_17_10_2017.doc

MD5: 1238275981104959492a0788d1e1eaf6


Payload URLs:

hxxp://vizicsiga[.]hu/qelikau.exe (IP: 87[.]229.45.38)

hxxp://forex-sharks[.]com/vmcutjy.exe (IP: 77[.]247.178.179)

hxxp://hostprodirect[.]com/nimckdc.exe (IP: 209[.]213.100.202)

hxxp://lacadosmurcia[.]com/ygfxyca.exe (IP: 212[.]63.108.71)

hxxp://crittersbythebay[.]com/bslyqbx.exe (IP: 72[.]4.146.187)




MD5: 360f53fa00b23d034133eadf3a3474df



MD5: f69599d02f110c357f4bea1e673271da



MD5: e86333c6ffa295c39ec6d11401e2a86c



MD5: 426ae2e0ca32b47868e7e3b666241771


Registry Change:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL: “hxxp://{0}.js?ip={1}”

{0} = 8 random characters

{1} = Victim IP address


Command and Control:




PhishMe Recognized as a 2017 Fastest Growing Company by Washington Business Journal
Social Media: It’s Time to <3 Security Awareness

Leave a Reply