Cybersecurity researchers have found that a new malware, named Rietspoof, is now spreading to via popular instant messaging clients like Facebook Messenger and Skype.
The researchers describe this new threat as multi-stage malware. This new piece of infection code was first spotted back in August 2018 and was mainly ignored until it infected a large number of devices in the past month.
Malware modus operandi:
During a malware analysis, researchers found that Rietspoof’s main role is to infect victims, gain persistence, then download and deploy other malware from a central command & control (C&C) server.
Rietspoof Persistence is gained by installing an LNK (shortcut) file in the Windows /Startup folder.
The only good news here is that this operation is known by most antivirus products, but Rietspoof overwrites this security feature because it uses a signed legitimate certificate.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The infection task is made in four different steps. Stage 1 and 2 represent prepare for the actual Rietspoof malware which is installed in stage three. The 4th and last stage downloads a more intrusive and potent malware strain.
Rietspoof is known among cybersecurity researchers as a “dropper” or “downloader,” which represents a malware strain designed for infecting victims with more dangerous malware.
Its functions are very limited: it can download, execute, upload, and delete files, and, in case of emergencies, it deletes itself. But all of these functions are more than enough for this type of malware to do its job.
While looking into this new threat researchers also observed that the malware has changed its C&C communication protocol, which made researchers believe that it’s still under active development.
Rietspoof is the second “malware dropper/downloader” that has spiked its activity in the past months. The other one is known as Vidar, a malware strain that is used to distribute ransomware and password stealers.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.