Delaware, USA – September 26, 2017 – Researchers from Proofpoint discovered that banking Trojan Retefe leveraged EternalBlue exploit. The last Retefe campaign targeted banks in Switzerland. Adversaries use this malware since 2013 in attacks against financial institutions in Central Europe, Britain and Japan. The Trojan redirects users to proxy servers hidden in the Tor network that are disguised as targeted bank pages. The primary vector of distribution is spear phishing: emails contain MS Office documents, which download malicious payload. The modification that used the EternalBlue exploit to download PowerShell script and install Retefe Trojan was detected on September 5. It seems that adversaries only experimented with the new functionality and did not use the exploit for lateral movement. On September 20 the possibility of leveraging EternalBlue exploit had been replaced by logging functions.
Probably, hackers are planning full-fledged attack exploiting vulnerability CVE-2017-0144. To protect against virus spreading through SMB, you need to ensure that security update MS17-010 is installed on all assets on your network. Since Retefe redirects traffic to servers on the Tor network, you can use DetectTor from Use Case Cloud to detect this threat. Using this case, you will be able to detect any Tor connections and quickly discover infected assets.