February 19, 2019 at
Researchers at Avast have recently discovered that a malware named ‘Rietspoof’ is using Facebook messenger and Skype spam to infect host computers. The popular instant messaging applications are being used to spread the ‘multi-stage malware’. This new information was brought to light by a recent report published by Avast.
This new threat was detected in August 2018 but was largely ignored by Facebook and Skype before users started reporting a sudden increase in malware attacks. Rietspoof works by first entering the host computer through Facebook messenger or Skype spam, and then gain persistence on the infected computer, after which it starts downloading other malware into the host computer. The download of new malware depend on instructions from a central command & regulate (C&C) server.
How Rietspoof Gains Persistence
Rietspoof manages to attain persistence on a host computer by placing the LNK (shortcut) file in the Windows / Startup folder. This is a risky operation for any malware as most anti-virus programs know about this and keep a close eye on this folder. But Rietspoof manages to bypass the anti-virus programs as it manages to appear authentic to them, as it signed with legitimate certificates, thereby escaping the security checks. Avast goes on in greater detail behind the mechanism of Rietspoof in this report.
The actual routine by which Rietspoof strikes is a 4-stage procedure, and the third stage is where Rietspoof is dropped onto the host computer. The last stage is the deadliest as this is where another, more potent malware is downloaded onto the host computer.
Researches have termed Rietspoof as a ‘dropper’ or a ‘downloader’, which is a kind of malware strain that has the sole intention to attack the host computer by downloading a more deadly malware strain.
Due to its intentions, Rietspoof’s functionality is very limited. It can only download, upload, execute and delete files inside the host computer. In rare cases, this malware is also known to delete itself. Even though it enjoys limited abilities, it is more than enough to wreak havoc inside the host computer.
Since Avast has started tracking this malware, the command and control protocol has changed and the malware has gone through some tweaks in its operation, which hints at a possibility that Rietspoof is still under active development.
Researchers on Saturday commented that they are still not entirely clear about the whereabouts of the entire infection chain of Rietspoof, and they will need more time to uncover the true extent of the damage this malware has caused until now.
This isn’t the first time in 2019 that malware has hit the news cycle. Another ‘dropper/downloader’ type of malware has infected computers all around the world within the last few months. This malware is called Vidar, which is a new type of malware strain that is assisting various criminal syndicates to distribute password stealers and ransomware. Researchers believe that Rietspoof could have hidden stages in its mechanism, which might not have yet revealed itself.