Rietspoof multi-stage malware propagates via Facebook Messenger and Skype

• Rietspoof malware is a multi-stage malware with its first stage distributed via instant messaging clients such as Skype or Facebook Messenger.
• The actual Rietspoof malware is dropped in the third stage with capabilities such as downloading or uploading files, starting processes, or initiating a self-destruct function.

Researchers from Avast detected a new malware strain dubbed Rietspoof, which is distributed via instant messaging clients such as Facebook Messenger and Skype. Researchers noted this malware as a multi-stage malware which utilizes several stages to drop a more versatile malware. This is why researchers call this malware as a dropper even though it has bot capabilities.

Four Stages

The multi-stage malware uses four stages for the malware infection:

• The first stage of the malware infection is delivered via instant messaging clients such as Skype or Facebook Messenger.
• The malware then drops a highly obfuscated VBS with a hard-coded and encrypted second stage executable, a CAB file which is digitally signed with a valid signature.
• The actual Rietspoof malware is dropped in the third stage with bot capabilities such as downloading or uploading files, starting processes, or initiating a self-destruct function. The third stage uses a simple AES encrypted TCP protocol to communicate with its C&C whose IP address is hardcoded.
• The fourth stage communicates with the C&C server whose IP address is hardcoded and then the CAB file executable installs the final payload.

Rietspoof’s main functions

Rietspoof's main function is to infect victims, gain persistence on infected hosts, and then download other malware payloads based on the orders it receives from its C&C server.

The malware gains persistence on infected victim’s host by placing an LNK (shortcut) file in the Windows / Startup folder. Even though most antivirus products keep an eye on this folder, Rietspoof is digitally signed in order to bypass security checks by most Antivirus software.

“Rietspoof has had a significant increase in its activity during January 2019. During this time, the developer has used several valid certificates to sign related files. Also, the payloads went through development, namely changing the implementation of the Stage 3 communication protocol several times,” researchers said in a blog.