Rietspoof malware strain spreads via Facebook Messenger and Skype

The Rietspoof malware family has been discovered by Avast researchers and is used to infect systems with stronger strains

Rietspoof Malware graphic

Security researchers at Avast have discovered a malware strain they are calling Rietspoof that is spreading via Facebook Messenger and Skype.

The team has been tracking the malware since August 2018 and up until January 2019, the strain had been updated once a month and was largely ignored.

Last month, though, the team saw a noticeable uptick in the number of times it was updated, suggesting that the malware's operator could be planning a more widespread attack.

Avast says it seems to have been designed as a 'dropper' which means the malware will infect systems and once embedded, and then download other potentially more harmful malware strains from its central command and control (C&C) server.

The strain infects computers using various file formats. Firstly it was delivered through instant messaging clients such as Facebook Messenger and Skype. It then delivered a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage - a CAB file which expanded into an executable which then installed a downloader.

Rietspoof is itself installed in the third stage, the executable, and has limited capability akin to a bot. It can read and write files, start processes and also self-destruct in cases of emergency.

The C&C server had also implemented a geofence based on the infected system's IP address. Researchers didn't receive any 'interesting' commands when testing it from their own lab but when they moved their approach to a US IP, the next stage was initialised and stronger malware was called to be installed.

Avast's researchers said that they have a wealth of data on Rietspoof but know little of the operator's motives or targets. They also explained that the files infected with the malware are largely going undetected by most antivirus software.

Reitspoof is the second 'dropper' to have been found picking up in activity in recent months, the other being Vidar, a malware helping cyber criminals distribute ransomware and password stealers.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

Android malware vendor teams with marketer to promote new malware
malware

Android malware vendor teams with marketer to promote new malware

11 Jan 2021
Python-based malware steals Outlook files and browser credentials
malware

Python-based malware steals Outlook files and browser credentials

15 Dec 2020
Subway UK customers targeted by Trickbot hackers
hacking

Subway UK customers targeted by Trickbot hackers

14 Dec 2020
Power banks could infect your smartphone with malware
malware

Power banks could infect your smartphone with malware

9 Dec 2020

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021