A new strain of malware that spreads through Facebook Messenger and Skype has been discovered.
Security researchers at Avast have been monitoring this new malware strain, which they have been calling Rietspoof and which, according to them, exhibits striking features and capabilities.
Though the Avast team of researchers were monitoring Rietspoof for the past few months, they had left it largely ignored as it was being updated once a month. But, a recent noticeable increase in the number of times the malware was updated made them study it further.
A blog post by the Avast Threat Intelligence Team reads, “Since August 2018, we have been monitoring a new malware family we’re calling Rietspoof. Rietspoof is a new multi-stage malware that exhibits some very striking features and capabilities. When we began tracking Rietspoof, it was updated about once a month. However, in January 2019, we noticed the update cadence change to daily.”
The blog post, dated 16 February 2019, explains that Rietspoof combines various file formats and utilizing several stages delivers a potentially more versatile malware.
“Our data suggests that the first stage was delivered through instant messaging clients, such as Skype or Live Messenger. It delivers a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage — a CAB file. The CAB file is expanded into an executable that is digitally signed with a valid signature, mostly using Comodo CA. The .exe installs a downloader in Stage 4,” explains the Avast blog post.
It further says, “What’s interesting to note, is that the third stage uses a simple TCP protocol to communicate with its C&C, whose IP address is hardcoded in the binary. The protocol is encrypted by AES in CBC mode. In one version we observed the key being derived from the initial handshake, and in a second version it was derived from a hard-coded string. In version two, the protocol not only supports its own protocol running over TCP, but it also tries to leverage HTTP/HTTPS requests.”
The Avast team clarifies that a C&C communication protocol being modified to such an extent is not a common thing. Obfuscation methods commonly change, but in most malware, the C&C communication usually remains relatively constant.
The blog post further explains, “This downloader uses a homegrown protocol to retrieve another stage (Stage 4) from a hard-coded address. While Stage 3 protocol includes bot capabilities, Stage 4 acts as a designated downloader only.”
Researchers have observed that the C&C server communicates only with IP addresses set to USA. This suggests that it’s either a specifically targeted attack or that the attackers are using the USA IP range only for testing reasons. The Avast team also feels that there could be more stages that are yet to be revealed.
A notable thing about Rietspoof, which is installed in the third stage, is that it can read and write files, start processes and also self-destruct in cases of emergency.
It was in January 2019 that significant increase in activity was noticed for Rietspoof. The developer used several valid certificates to sign related files and the payloads went through development during this time. The implementation of the Stage 3 communication changed several times.
The Avast researchers point out that though they have extensive data regarding Rietspoof, they are still left in the dark regarding the motives, the modus operandi and the intended targets. Moreover, the malware-infected files have rarely been detected by antivirus software to date.
The Avast blog post concludes saying-“ Our research still cannot confirm if we’ve uncovered the entire infection chain. While the malware has bot capabilities, it seems to have been primarily designed as a dropper. Additionally, the low prevalence and use of geofencing signifies other possible unknowns. For instance, we may have missed other samples that are distributed only to a specific IP address range.”