Rietspoof Malware Uses Facebook Messenger and Skype to Infect
CYBER NEWS

Rietspoof Malware Uses Facebook Messenger and Skype to Infect

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Rietspoof is a new type of malware that is currently being distributed in the wild via Facebook Messenger and Skype. The malware was discovered by Avast, and is being described as a multi-stage threat that combines file formats to create a “more versatile malware”.




The malware’s nature is dropper, also known as downloader, meaning that the last infection stage will definitely download something worse on infected hosts.

Even though the malware was spotted for the first time in August last year, it caught the attention of security researchers last month when the number of infections grew bigger.

What Is the Purpose of Rietspoof Malware?

The malware is aiming to infect victims, gain persistence on affected systems, and

download more malware as per the instructions it receives from the command and control server.

Rietspoof’s infection path contains several stages, and combines various file formats, with the only purpose to deliver more versatile malware.

The researchers’ data suggests that the first stage was delivered through instant messaging clients, such as Skype or Messenger. The malware delivers a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage — a CAB file. “The CAB file is expanded into an executable that is digitally signed with a valid signature, mostly using Comodo CA”, the report says.

Related: New Hacking Methods to Look out for in 2019

How does the malware gain persistence? By placing a LNK file (shortcut) in the Windows/Startup folder. Usually anti-virus solutions monitor this folder but the malware is also signed with legitimate certificates hence bypassing security checks.

As mentioned earlier, the infection of Rietspoof consists of several stages, and the malware itself is dropped in the third stage. The last stage involves the distribution of another potent malware strain.

Rietspoof Malware Attacks Likely Targeted

The report highlights that the C&C server communicates only with IP addresses set to USA which made researchers believe that they’ve detected a specifically targeted attack. Another option is that the attackers are using the USA IP range only for testing reasons. Furthermore, it is possible that there are more stages that haven’t been revealed yet, the report concluded.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...