Instant Messages through Live Messenger and Skype are Spreading Rietspoof Malware

A new malware called Rietspoof has been discovered by researchers of Avast security. It is transferred when an instant message is sent through Windows Live Messenger, Skype, etc.

This multi-stage malware was first discovered in August 2018 but was ignored until lately when it was widespread. Rietspoof first infects the host, get persistence on it and then download chains of malware, according to the orders sent by the central command and control (C&C) server.
"We've been monitoring new multi-stage malware we call #Rietspoof that exhibits some very striking capabilities. In Jan '19, we saw it being updated daily instead of monthly, a serious concern.", announced Avast Software in a Tweet.
An LNK file shortcut is placed in the Windows/Startup folder, where malware gaining persistence. Most of the antivirus products keep checking on this folder, making it difficult for malware to stay. According to researchers, Rietspoof is signed with legitimate certificates, which allows it to bypass the security checks of antivirus.
"It seems that Rietspoof was spread using a Microsoft Word document with macros.", noted Avast Threat Intelligence Team.
There are three stages of malware dropping in, in which the last stage is when it downloads a stronger strain of malware. Security researcher call Rietspoof a downloader that affects the victim by downloading a stronger strain of malware.

Functions of this malware are very limited, it is capable of downloading files, executing and uploading them and delete these files when need. At times, it deletes itself as well, but this is all that is expected of Rietspoof to do.

Avast security researchers think that it is still under development as, since the discovery of it, modification in its C&C communication protocol and some other changes have been noticed. Yet they are unsure whether they have fully discovered its whole infection chain or not.

After Vidar, a malware used by cybercriminals to distribute ransomware and password stealers, Rietspoof is the second malware downloader which has been noticed in the last few months.


Photo: ipopba via Getty Images

No comments:

Post a Comment