Antihack Blog

Multi-Stage Rietspoof Malware Drops Multiple Malicious Payloads

14 Mar 2019

Rietspoof is a new malware family which uses a multi-stage delivery system, is designed to drop multiple payloads on the systems it infects, and offers very little to no information on what audience it targets.

Avast's Threat Intelligence Team first encounter with Rietspoof took place in the summer of 2018, during August, and while the researchers have been keeping an eye on it since then, there's a lot to be discovered when it comes to its exact infection chain.

What's known at the moment is that the malware uses multiple stages to compromise its targets, each of them having very particular capabilities, with one acting as a bot that "can download/upload files, start processes, or initiate a self-destruct function," and another behaving like a run-of-the-mill downloader.

Also, while Rietspoof's authors were updating the malware roughly once a month, starting with January 2019 the development speed has really picked up, reaching a daily schedule.

MalwareHunterTeam shared a full analysis of a RietSpoof sample (VirusTotal analysis) caught in the wild, conducted using the automated Hybrid Analysis online platform, while another security researcher linked an analysis of the malware's dropper carried out using the SEKOIA Dropper Analysis online service (VirusTotal analysis).

According to Avast's Luigino Camastra, Jan Širmer, Adolf St?eda and Lukáš Obrdlík:

Our data suggests that the first stage was delivered through instant messaging clients, such as Skype or Messenger. It delivers a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage  — a CAB file. The CAB file is expanded into an executable that is digitally signed with a valid signature, mostly using Comodo CA. The .exe installs a downloader in Stage 4.

However, before reaching the third and fourth stage, Rietspoof will gain persistence using a technique added to the malware starting with January 22, adding a WindowsUpdate.lnk to the Windows startup folder which will run an expanded Portable Executable (PE) binary after each reboot.

Rietspoof's third stage is the one which will drop the bot payload that can be used by the malware's authors to start processes on the compromised machines, download and upload files, as well as send self-destruct commands.

Adding persistence
While the bot payload doesn't come with any out of the ordinary capabilities, the command-and-control (C&C) server it connects to comes with a more unusual feature as detailed by Avast's analysis:

The C&C server also seems to have implemented basic geofencing based on IP address. We didn’t receive any “interesting” commands when we tried to communicate with it from our lab network; however, when we virtually moved our fake client to the USA, we received a command containing the next stage.

The third infection stage of Rietspoof has yet another particularity: the malware authors are continuously updating and they also seem to have multiple versions running "in production," with communication obfuscation capabilities being added and then removed, and the bot using at least two versions of C&C communication protocols according to Avast's findings.

Going back to Rietspoof 's multi-stage infection method, the fourth and the last stage will act as a malware downloader  and will attempt to "to establish an authenticated channel through NTLM protocol over TCP with its C&C whose IP address is hardcoded."

Once the downloader manages to establish a connection to a C&C server, it will either try to grab the final payload or yet another malware stage.

At this moment, Rietspoof's end goal, targets, and exact infection chain are not yet known, but something is obvious: the threat actors behind this malware are accelerating its development and deployment speed, adding new features and updating/improving the ones already in each day.

Sourced from: Bleeping Computer

Share this link: