Rietspoof Malware Alert: Quickly spreading through Skype and Facebook Messenger

Malware Rietspoof

Avast researchers see the spread of new malware to instant messaging customers.

Avast security researchers have discovered a new strain of malware called Rietspoof, which is currently spreading to victims via Facebook Messenger and Skype instant messaging customers.

In a long weekend report, researchers described this new threat as a “multi – stage malware,” which was first discovered in August 2018, but was largely ignored until last month’s distribution efforts were noticeably boosted.

Rietspoof’s main role is to infect victims, persist in infected hosts and then download other malware strains – depending on the orders it receives from the control server and a central command.

The malware gains persistence by placing a LNK file (shortcut) in the Windows / Startup folder. This is a noisy operation because most antivirus products know how to keep an eye on this folder, but Avast says Rietspoof is also signed with legitimate certificates so that security checks can be circumvented by the malware.

The infection routine consists of four different stages, described in more detail in the Avast description. The actual Rietspoof malware is dropped in stage three, with a more intrusive and powerful malware strain reserved for the last stage download.

Rietspoof is what security scientists call a “dropper” or “downloader,” a malware strain designed solely to infect victims with “something stronger.”

This is why it is also very limited in functionality. It can download, run, upload and delete files and can also delete itself in the event of an emergency. However, these are more than enough for Rietspoof to do his job.

Avast says the malware has changed its C&C communication protocol since it began to look at this new threat and has undergone other smaller modifications, which have led researchers to believe that it is still under active development.

“Our research did not confirm whether we have uncovered the entire infection chain,” researchers said on Saturday.
Rietspoof is the second “malware dropper / downloader” in operation in recent months. The other is called Vidar, a malware strain that has helped different criminal gangs distribute ransomware and password stealers. Malware analysis Vidar is available here.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.