Researchers with PhishMe have released the details of a phishing campaign, currently being run in Switzerland, that uses a tax dodge to entice its victims to open an attached file, which will then download the Retefe banking trojan.
The email, written in German, has a subject line that references a supposed tax declaration and is “sent” by someone pretending to be a Swiss tax administration worker. The email asks the recipient to enable macros on the attached document, named "ESTV Dokument_593657_17_10_2017[.]doc," after which PowerShell is launched to download and install the malware. At the end of this installation, the malware looks to see if Firefox is installed on the computer; if so, it generates and installs a certificate to Firefox.
The final result of all these manoeuvers is the injection of the Retefe banking trojan. Retefe, which is mainly used in Austria, Sweden, Switzerland and Japan, then waits for victims to connect to their online bank accounts and instead redirects them to a cloned website where their credentials are harvested.