Avast security researchers have discovered a new malware strain named Rietspoof that's currently being spread to victims via instant messaging clients such as Skype, and others.
In a report published over the weekend, researchers described this new threat as a "multi-stage malware," that was first spotted in August 2018, but which was largely ignored until a noticeable uptick in distribution efforts last month.
Rietspoof's main role is to infect victims, gain persistence on infected hosts, and then download other malware strains --depending on the orders it receives from a central command & control (C&C) server.
Persistence is gained by the malware by placing an LNK (shortcut) file in the Windows /Startup folder. This is a noisy operation because most antivirus products know to keep an eye on this folder, but Avast says Rietspoof is also signed with legitimate certificates, allowing the malware to bypass security checks.
The infection routine is made up of four different stages --described in greater detail in the Avast write-up here. The actual Rietspoof malware is dropped in stage three, with the last stage being reserved for downloading a more intrusive and potent malware strain.
Rietspoof is what security researchers call a "dropper" or "downloader," a malware strain designed for the sole purpose of infecting victims with "something stronger."
Because of this, it's functionality is also very limited. It can download, execute, upload, and delete files, and, in case of emergencies, it can also delete itself. Nonetheless, these are more than enough for Rietspoof to do its job.
Avast says that since it began looking into this new threat, the malware has changed its C&C communication protocol, and has gone through other smaller modifications, which made researchers believe that it's still under active development.
"Our research still cannot confirm if we've uncovered the entire infection chain," said researchers on Saturday.
Rietspoof is the second "malware dropper/downloader" that has been seen picking up in activity in the past few months. The other one is named Vidar, a malware strain that has been helping various criminal gangs distribute ransomware and password stealers. An analysis of the Vidar malware is available here.
Updated on February 24. An earlier version of this article claimed the malware was being spread via Facebook Messenger. Avast later clarified that the malware didn't use Facebook Messenger, but older servers used by Live Messenger, now used for various Microsoft instant messaging services, such as the one included with Outlook.
Related security coverage:
- Microsoft removes eight cryptojacking apps from official store
- White hats spread VKontakte worm after social network doesn't pay bug bounty
- Google is running an auto-update-to-HTTPS experiment in Chrome
- Another WordPress commercial plugin gets exploited in the wild
- New macOS security flaw lets malicious apps steal your Safari browsing history
- Hacker puts up for sale third round of hacked databases on the Dark Web
- Cryptomining malware spread via US, UK and Australian government sites TechRepublic
- Google bans cryptocurrency mining extensions for Chrome CNET