Last-minute paper: Malicious Proxy auto-configs: An Easy Way to Harvest Banking Credentials

Thursday 6 October 09:00 - 09:30, Red room

Jaromir Horejsi (Avast Software)
Jan Sirmer (Avast Software)

Much media attention is given to imminent and visible threats, like ransomware. Other threats remain under the radar and often go unnoticed. Malicious proxies are one of these threats.

Redirections are made via proxies and are only activated in certain situations. Internet web browser settings are modified slightly, so that a very small (less than 1KB), and often obfuscated proxy auto-config file is queried from the configuration server. If a victim browses particular websites, such as banking sites, they are redirected to fake or malicious domains that look more or less identical to real sites. Other than that, infected computers behave normally and victims usually don’t notice anything out of the ordinary. All the credentials victims enter into fake sites are harvested by cybercriminals. This allows for a variety of attacks, including MitM and SSL impersonation, which may later lead to identity theft, unauthorized account access, and financial loss.

In our talk, we will discuss the Retefe banking trojan, which celebrated its comeback in the summer of 2016. There have been several changes made to Retefe, including, but not limited to, the structure of the delivered payload, geographical distribution, and targeted online banking systems. Spread via malicious email attachments, a few malicious scripts are dropped and executed, a rogue certificate is installed, and proxy configurations of victims’ browsers are changed. Unlike the previous waves, the latest waves target banking users in the UK. The particular waves differ from one another, for example, by installing third-party tools and libraries (Tor, Proxifier, etc.), using different methods of persistence, and the addition of more targeted financial institutions.

We will show a detailed infection vector, as well as ways of targeting and changing the settings of various web browsers. We will reverse engineer all the malware components coming from the various waves, and finally show original and fake websites as seen from both clean and infected computers. We will also show the statistics and severity of this threat, as seen by our userbase. Although it is quite simple from a technical point of view, Retefe is quite powerful and efficient in reaching its unpleasant goals.


Click here for more details about the conference.


Jaromír Horejší

Jaromír Horejší is a senior malware analyst at Avast Software. His main specialization is reverse engineering mainstream cyber threats targeting Windows and Linux systems. During the course of his career, he has researched many types of threats, e.g. DDoS botnets, banking trojans, click fraud and ransomware. In the past, he has presented his research at RSA Conference, Virus Bulletin, AVAR, Botconf and CARO.



Jan Širmer

Jan is a senior malware analyst at Avast Software. His main specialization is analysing malicious Java threats, Android applications and exploits, macro viruses, web-based malware and other non-executable malware. During the course of his career, Jan has authored blog posts about phishing threats, malicious web exploits and Android threats. In the past, he has presented his research at AVAR and WebExpo.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.