Rietspoof is a new malware family which uses a multi-stage delivery system to drop multiple payloads on the systems it infects. However, the targets of this malware are still unknown. The delivery system involves the malware acting as a bot that “can download/upload ﬁles, start processes, or initiate a self-destruct function,” as well as behaving like a run-of-the-mill downloader.
The ﬁrst stage of this malware was delivered through instant messaging clients, such as Skype or Messenger. It delivers a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage — a CAB ﬁle. The CAB ﬁle is expanded into an executable that is digitally signed with a valid signature, mostly using Comodo CA. The .exe installs a downloader in Stage 4.
A latest innovation in the malware allows it to acquire persistence by adding WindowsUpdate.lnk to the Windows startup folder which will run an expanded Portable Executable (PE) binary after each reboot.
Rietspoof’s third stage is the one which will drop the bot payload that can be used by the malware’s authors to start processes on the compromised machines, download and upload ﬁles, as well as send self-destruct commands.
Indicators of Compromise
IP(s) / Hostname(s)
Windows SATA Device Manager
Malware Hash (MD5/SHA1/SH256) 90813ad836eﬀce0e21843c7db025d56bf1d204af25746578800f09a049ac008 f5c4782591675cd51ac3cdfd1bc719d576b7b98d529cf281b706d94fd1916c96
Block the threat indicators at their respective controls.
Closely monitor all communication associated with the ports mentioned above.