Rietspoof malware spreads via Facebook Messenger and Skype

Avast security researchers have discovered a new malware strain called Rietspoof which is being distributed via Facebook Messenger and Skype.

In a report published on Saturday (Feb.16th), researchers described the new threat as a “multi-stage malware” that was first detected in August 2018, but at that time, it was largely ignored due to its infrequent activity.

When their team of researchers began tracking the malware, it was only updated once a month. However, since January 2019, the firm saw a noticeable uptick in the number of times the malware was being updated.

According to Avast, the malware was now being distributed on a daily basis.

Rietspoof malware

Rietspoof has the ability to infect victims, gain persistence on infected hosts, and then download other malware strains, depending on the orders it receives from a central command & control (C&C) server.

Persistence is gained by placing a LNK (shortcut) file in the Windows/Startup folder. “This file runs an expanded PE file after startup to ensure the executable file will run if the machine rebooted,” Avast said.

This is a noisy operation because most antivirus product keeps an eye on this type of folder, but Avast says that Rietspoof is signed with legitimate certificates, enabling it to bypass security checks.

The malware has four different stages

The infection routine is made up of four different stages. The actual malware is dropped in the third stage, with the last and final stage being reserved for downloading a more unpleasant and effective malware strain.

“We noticed that development of this third stage is rapidly evolving, sometimes running two different branches at once. During our analysis, the communication protocol was modified several times and new features were added. For example, string obfuscation was supported in earlier versions, implemented several days later, and then on the 23rd of January, we saw samples that rolled back some of these changes,” said Avast.

Avast described the Rietspoof malware as a “dropper” or “downloader”, which acts similarly to a Trojan and installs other malware strains.

While on its own, this feature is limited, according to the security researchers. It can download, execute, upload, and delete files, and in case of any emergencies, it can also delete itself.

“Our research still cannot confirm if we’ve uncovered the entire infection chain,” said Avast. “And, it is possible that there are more stages that haven’t been revealed yet.”

Related Posts