Retefe Gang, Operation Emmental

Description

(GovCERT.ch) Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok. In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings. While some findings where very interesting, others were misleading or simply wrong.

We don’t know where the sudden media interest and the attention from anti-virus vendors on this threat actor are coming from. As a matter of fact, the threat actor behind OSX/Dok, which we call the the Retefe gang or Operation Emmental, has already been around for many years and GovCERT.ch is tracking their activities since the very beginning (2013). The purpose of this blog post is to put the puzzle pieces together and trying to bust some of the myths that have made the round in the media recently.

Names

Name	Name-Giver
Retefe Gang	GovCERT.ch
Operation Emmental	Trend Micro

Country

• Russia

Motivation

• Financial crime

First Seen

2013

Observed Sectors

• Financial

Observed Countries

• Austria
• Germany
• Japan
• Romania
• Sweden
• Switzerland
• Turkey
• UK

Tools

• Citadel
• Retefe
• Retefe (Android)
• Tinba

Information

• https://www.govcert.ch/blog/the-retefe-saga/
• https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

Other Information

Uuid

58b1974b-2091-492a-901f-a25d9372d9a6

Last Card Change

2020-05-22