Researcher Bryan Campbell wrote that the new Retefe had several changes:
- It uses stunnel instead of TOR to secure its proxy redirection and command and control communications;
- It uses Smoke Loader rather than sLoad as an intermediate loader; and
- It abuses a shareware application known as “Convert PDF to Word Plus 1.0”; this is a Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine.
Campbell said the shareware application had been found in a public malware repository in March. "It originates from http://lettercreate.com/unipdf/convert-pdf-to-word-plus[.]exe and uses a certificate issued by DigiCert," he added.
Said Campbell: "Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing Web injects for man-in-the-browser attacks like most banking trojans.
"Developers appear to have updated key features of the trojan and are employing new distribution mechanisms including fake apps and switching to Smoke Loader as its intermediate downloader after a fairly lengthy absence from the landscape."
He said Retefe, in particular, was noted for changing its proxy configuration, having previously used Profixifier and, in 2019, moving to stunnel.
"As with many types of malware, developers continue to innovate, identifying new, more effective ways to infect victims and steal personal information to better monetise their attacks."