Unceasingly Developed Rietspoof in Action

Delaware, USA – February 20, 2019 – Uprising activity of yet another malware was spotted by security researchers of Avast. The Rietspoof malware is now being spread in Skype and Live Messenger and downloads other malicious software from its command and control server. Rietspoof was first noticed in August 2018 and was updated monthly, but it’s high time to tall an alarm bell – the malware gets new adjustments almost daily.

Rietspoof infects the victim system with ingenious Visual Basic script signed with a new valid certificate that makes the malware avoid being noticed when it drops LNK file to the Windows/Startup folder and contains executable hidden in the CAB file. Once the executable reaches the destination point, the downloader is installed as the next stage of malware injection. The downloader seems to get geo-targeted IP-based commands, and as reported by Avast, the further steps of infection were observed when they used a fake USA IP. The downloader’s functionality is limited to downloading, executing, files uploading and deleting, and erasing itself if necessary and the real care-about is the malware which Rietspoof downloads from its C&C server. Avast suggests that the malware is being developed more than ever and occurs unrecognized by antiviruses, moreover, the targets and motivations of attackers are not clear yet. Since the malware successfully gains a foothold in the system, bypassing standard security solutions, it is necessary to track suspicious events related to Startup folder. You can discover the abnormal deviations in security events of Microsoft Windows and Active Directory, monitor events in access control, user and group management, and maintenance of systems and services with Windows Security Monitor rule pack: https://my.socprime.com/en/integrations/windows-security-monitor-arcsight