Rietspoof malware distributes ransomware via messaging apps

A malware strain dubbed as Rietspoof has been under the radar of researchers at Avast since last August. Reportedly, researchers suspect that the malware is on the rise and it is being distributed via Skype, Facebook Messenger, and other messaging apps.

Researchers maintain that the malware actually is a dropper designed to allow dangerous ransomware to infect the device. This means, the malware’s job is to invade the machine and doesn’t cause any other damage by itself.

See: New Android Malware Stealing Data from Popular Messenger Apps

Avast researchers further noticed that since August the malware wasn’t being updated as rigorously as it is since January 2019, which led to the revelation that a widespread attack could be underway. It is worth noting that Rietspoof was discovered by Avast during summer 2018 but this year its optimized version is circulating on the web and many cybercriminals are now using it to trap unsuspecting users.

To download the ransomware, malware has to establish a connection with its C&C server. The server has implemented a geofence, which is established on the IP address of the infected device.

In its operation, the malware uses different file formats to infect the targeted machine. It can be delivered via Facebook Messenger, Skype or similar instant messaging platforms. Later it delivers a “highly obfuscated visual basic script” that has an encrypted and hard-coded CAB file.

Rietspoof malware distributes ransomware to Facebook & Skype users
VBS deobfuscate & drop embedded file

This file can be extended as an executable to install the downloader. After this Rietspoof gets installed; its capabilities are not as advanced as it can only read and write files, commence new processes and if detected it has the ability to self-destruct. The CAB file is deleted after the executable binary is extended.

See: Malware-infected fake Telegram Messenger app found in Play Store

Avast researchers couldn’t identify the operators behind the malware strain or its potential targets but they have explained that the infected files are either not detected or ignored by most of the antivirus programs. Researchers tested many samples and identified that there are variations in the communication protocols. In particular, six commands are sent by the C&C server to Rietspoof.

Rietspoof malware distributes ransomware to Facebook & Skype users
Rietspoof’s on VirusTotal

This, however, is not the first time when Facebook Messenger or Skype have been used to spread malware. Previously, Eko malware was targeting Facebook users after making its way through Facebook Messenger. Moreover, “Evil Skype” malware kit “Su-A-Cyder” was found targeting Apple users.

If you are using Facebook Messenger or Skype; watch out for Rietspoof, refrain from clicking unknown links in chat and scan your computer with reputable anti-virus software. Here is a list of top 10 anti-virus solution for 2019. Stay safe online!

Did you enjoy reading this article? Kindly do like our page on Facebook and follow us on Twitter.

Related Posts