Rietspoof is a new type of malware that is currently being distributed in the wild via Facebook Messenger and Skype. The malware was discovered by Avast, and is being described as a multi-stage threat that combines file formats to create a “more versatile malware”.
The malware’s nature is dropper, also known as downloader, meaning that the last infection stage will definitely download something worse on infected hosts.
Even though the malware was spotted for the first time in August last year, it caught the attention of security researchers last month when the number of infections grew bigger.
What Is the Purpose of Rietspoof Malware?
The malware is aiming to infect victims, gain persistence on affected systems, anddownload more malware as per the instructions it receives from the command and control server.
Rietspoof’s infection path contains several stages, and combines various file formats, with the only purpose to deliver more versatile malware.
The researchers’ data suggests that the first stage was delivered through instant messaging clients, such as Skype or Messenger. The malware delivers a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage — a CAB file. “The CAB file is expanded into an executable that is digitally signed with a valid signature, mostly using Comodo CA”, the report says.
How does the malware gain persistence? By placing a LNK file (shortcut) in the Windows/Startup folder. Usually anti-virus solutions monitor this folder but the malware is also signed with legitimate certificates hence bypassing security checks.
As mentioned earlier, the infection of Rietspoof consists of several stages, and the malware itself is dropped in the third stage. The last stage involves the distribution of another potent malware strain.
Rietspoof Malware Attacks Likely Targeted
The report highlights that the C&C server communicates only with IP addresses set to USA which made researchers believe that they’ve detected a specifically targeted attack. Another option is that the attackers are using the USA IP range only for testing reasons. Furthermore, it is possible that there are more stages that haven’t been revealed yet, the report concluded.