Security researchers at Avast discovered a new malware strain which is being distributed via Facebook Messenger and Skype. This may come as another blow to Facebook’s reputation that is limping from one public relations nightmare to the next. News of the new Malware quickly followed the release of the UK’s Digital, Culture, Media, and Sport select committee’s investigation report. The investigation took 18 months to complete and had the mandate to investigate Facebook’s role into the dissemination of fake news. The over a hundred-page report found that Facebook may be guilty of purposefully obstructing its inquiry and failing to tackle attempts by Russia to manipulate elections. The report went further and labeled the social media giant as “digital gangsters”.
In a report published over the weekend by Avast will not have the same effect as the report mentioned above, however, malware has the ability to ruin a day for multiple individuals and companies do not want their applications used to distribute malware no matter how big they are. In the report researchers described that the new threat can be seen as a “multi-stage malware”, meaning that the malware deploys in stages. This is a common tactic used by malware authors to avoid detection and allow for the deployment of other malware strains at a later date. Avast discovered the malware in August 2018 and have noticed the malware had been updated on a monthly basis. The firm noticed though that in January 2019 the malware has been updated on a daily basis.
It would appear based on the analysis done that the malware is been prepped for the distribution of potentially far more dangerous malware strains. This is done simply by sending and receiving instructions from the hacker’s command and control server. The interesting thing about how the malware achieves persistence on infected computers. This is done by placing an LNK (shortcut) file in the Windows /Startup folder. This is a noisy operation as any good antivirus package constantly keeps track on this folder. In order to try and circumvent detection by antivirus packages the malware is signed with legitimate certificates to bypass security checks.
Rietspoof can be defined as a dropper, this is a piece of malware which acts similarly to a trojan which installs other malware strains. These are by no means novel pieces of malware and their danger lies in what other malware is planned to be installed by the hackers responsible. Currently, this feature is limited according to the security researchers. It can download, execute, upload, and delete files, and, in case of emergencies, it can also delete itself. Nonetheless, these are more than enough for Rietspoof to do what it is intended for.
Upon analyses of the different deployment stages, it was determined that the malware combines various file formats in an attempt to be able to deliver far more varied malware strains. The first stage of deployment is delivered through Facebook Messenger and Skype, this is by far not the first time these platforms have been used to distribute malware nor will it be the last. The first stage is also highly obfuscated and written in Visual Basic, included in this stage is the second stage hard-coded within the code. The second stage is a CAB file which is expanded into an executable once signed with a valid digital signature. This is by no means unique but what did interest researchers is the third stage. This stage is where the Rietspoof malware is deployed and has changed several times since the malware’s discovery. Once Rietspoof is deployed the malware uses a custom protocol to download the fourth stage which is exclusively the dropper.
Avast concluded that,
“As you have read above, this new malware, Rietspoof, has had a significant increase in its activity during January 2019. During this time, the developer has used several valid certificates to sign related files. Also, the payloads went through development, namely changing the implementation of the Stage 3 communication protocol several times. While the data on Rietspoof is extensive, motives and modus operandi are still unknown, as are the intended targets. And, to date, the malware-infected files are rarely being detected by most antivirus software. Our research still cannot confirm if we’ve uncovered the entire infection chain. While the malware has bot capabilities, it seems to have been primarily designed as a dropper. Additionally, the low prevalence and use of geofencing signify other possible unknowns. For instance, we may have missed other samples that are distributed only to a specific IP address range.”
Rietspoof Not Alone
Rietspoof is not the only similar piece of malware detected by security researchers. The Vidar operates in a similar method to Rietspoof and is distributed via the Fallout exploit kit. What differs between Vidar and Rietspoof is that Vidar is currently available for purchase and will cost a budding cybercriminal up to 700 USD. To add to the danger Vidar is currently been used by hackers to distribute ransomware strains such as the now infamous GandCrab has been described by a researcher has been hard to analyze and,
“It’s hard to understand if Vidar is an evolution of Arkei or a forked malware based on his code. As far it seems this is currently an active one and growing up. A lot of updates are pushed on it regularly probably due because this is a young (forked/copycat) malware.”
This should illustrate that both Rietspoof and Vidar are far from maturation and should be a concern to the InfoSec community as who knows what evolutions both may undertake. Malware which is continually updated is proving harder and harder to combat effectively, one can give GandCrab as an example of this.