New Rietspoof multi-stage malware spreads via instant messaging clients

A new family of versatile, multi-stage malware is spreading via instant messaging clients, such as Skype and Live Messenger. Avast’s Threat Intelligence Team has been monitoring the malware since August of 2018 and released new details on the threat in a report over the weekend.

According to Avast researchers, Rietspoof now uses multiple stages and combines multiple file formats to deliver a more versatile malware. The frequency of the malware capabilities and features have increased from monthly to now daily.

Security researchers also spotted a significant uptick in Rietspoof activity since January 2019.

Rietspoof is known to be a “dropper” or download type of malware since it’s used to download newer more powerful strains of the malware that can cause even more damage on the victim’s system.

4-stage infection process

Avast researchers described how the malware threat infects systems over four stages.

In Stage 1, Rietspoof is first delivered via instant messaging clients, such as Skype or Live Messenger, which then runs a highly concealed or obfuscated Visual Basic Script (VBS). The VBS script then delivers a hard-coded encrypted CAB file used in the next stage of the attack.

In Stage 2, the CAB file is expanded into an executable (or .exe file) that is also digitally signed with a valid signature, such as Comodo CA.

In Stage 3, the malware uses a simple TCP protocol (encrypted by AES in CBC mode) to communicate with its command-and-control (C2) server. The C2’s IP address is also hard-coded in the binary.

“This stage has the capabilities of a simple bot: it can download/upload files, start processes, or initiate a self-destruct function,” Avast added.

In the final Stage 4, the .exe then installs a downloader.

Avast also noticed the unusual nature of the malware using multiple protocols, such as its own as well as HTTP/HTTPS, while trying to communicate to C2 systems.

It was also noted the C2 servers appeared to only be communicating with IPs based in the US, which could mean the attackers are targeting specific victims in the US or they are using for testing.

Adding persistence

Avast also said the malware authors added a new function for persistence in the new version of VBS just last month:

“The script creates a new LNK file in startup with the name WindowsUpdate.lnk. This lnk file runs an expanded PE file after startup to ensure the executable will run if the machine is rebooted.”

See more details on the Rietspoof malware threat in the Avast blog post.