Researchers from Avast detected a new malware strain dubbed Rietspoof, which is distributed via instant messaging clients such as Facebook Messenger and Skype. Researchers noted this malware as a multi-stage malware which utilizes several stages to drop a more versatile malware. This is why researchers call this malware as a dropper even though it has bot capabilities.
The multi-stage malware uses four stages for the malware infection:
Rietspoof’s main functions
Rietspoof's main function is to infect victims, gain persistence on infected hosts, and then download other malware payloads based on the orders it receives from its C&C server.
The malware gains persistence on infected victim’s host by placing an LNK (shortcut) file in the Windows / Startup folder. Even though most antivirus products keep an eye on this folder, Rietspoof is digitally signed in order to bypass security checks by most Antivirus software.
“Rietspoof has had a significant increase in its activity during January 2019. During this time, the developer has used several valid certificates to sign related files. Also, the payloads went through development, namely changing the implementation of the Stage 3 communication protocol several times,” researchers said in a blog.