Instant messaging platforms like Skype and Facebook Messenger are the newest tool for a malware strain known as Rietspoof. The malware uses multiple stages to drop malware, which is why researchers are dubbing it a dropper even though it has bot capabilities. The malware begins in Skype or Facebook Messenger. From there, a VBS is dropped that contains a digitally signed CAB file. The third stage is where the Rietspoof malware comes into play. It is dropped with the ability to download or upload files, begin processes, or even self-destruct. An average AES encrypted TCP is used to transfer information to the C&C server. In the fourth stage the CAB delivers the final payload. The malware is able to make its way through an infected system by delivering an LNK file to the Windows/Startup folder and while most antivirus software are able to detect unauthorized additions to the folder, Rietspoof uses a valid digital signature to avoid being detected.
Analyst Notes
If users are able to identify that they’ve been affected by the malware, they should immediately boot their PC in safe mode in an effort to isolate and diminish the Rietspoof Malware files. Locate any files that have already been created by Rietspoof and scan for any other unwanted programs with a valid Anti-Malware Tool.
