Rewterz Threat Alert – Multi-Stage Rietspoof Malware Drops Multiple Malicious Payloads

Severity: HIGH

Analysis Summary:

Rietspoof is a new malware family which uses a multi-stage delivery system to drop multiple payloads on the systems it infects. However, the targets of this malware are still unknown. The delivery system involves the malware acting as a bot that “can download/upload files, start processes, or initiate a self-destruct function,” as well as behaving like a run-of-the-mill downloader.

The first stage of this malware was delivered through instant messaging clients, such as Skype or Messenger. It delivers a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage — a CAB file. The CAB file is expanded into an executable that is digitally signed with a valid signature, mostly using Comodo CA. The .exe installs a downloader in Stage 4.

A latest innovation in the malware allows it to acquire persistence by adding WindowsUpdate.lnk to the Windows startup folder which will run an expanded Portable Executable (PE) binary after each reboot.

Rietspoof’s third stage is the one which will drop the bot payload that can be used by the malware’s authors to start processes on the compromised machines, download and upload files, as well as send self-destruct commands.

Impact

• Running of shell commands or applications
• Malware Infection
• System Access
• File Deletion
• Data manipulation

Indicators of Compromise

IP(s) / Hostname(s)

ocsp[.]sectigo[.]com

192[.]241[.]217[.]57

Ports

80

49194

49201

49203

49195

Filename

EmergencyExitMap.doc

Windows SATA Device Manager

wscript.exe

emplate.vbs

isatsrv.exe

Extension

.exe

.tmp

.sample

.vbs

Malware Hash (MD5/SHA1/SH256) 90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008 f5c4782591675cd51ac3cdfd1bc719d576b7b98d529cf281b706d94fd1916c96

Remediation

Block the threat indicators at their respective controls.

Closely monitor all communication associated with the ports mentioned above.