A multi-staged malware dropping multiple payloads is infecting its victims without a clear purpose and has shown a significant uptick in activity since January 2019.
Dubbed Reitspoof, the malware has bot capabilities although Avast researchers believe it was primarily designed as a dropper, according to a Feb. 16 blog post.
The malware’s developers used several valid certificates to sign related files and the payloads went through development, namely changing the implementation of the Stage 3 communication protocol several times, the blog said.
“Rietspoof utilizes several stages, combining various file formats, to deliver a potentially more versatile malware,” researchers said. “Our data suggests that the first stage was delivered through instant messaging clients, such as Skype or Live Messenger.”
In the second stage the malware gains persistence using a technique to run an expanded Portable Executable (PE) binary after each reboot. In the third stage, the malware drops the bot payload and in the fourth stage the malware downloader will attempt "to establish an authenticated channel through NTLM protocol over TCP with its C&C whose IP address is hardcoded."
The malware also uses Visual Basic script for reading and deobfuscating embedded binaries, covers its tracks, and runs an expanded PE file after startup to ensure the executable will run if the machine is rebooted.
In addition nearly every version of the VBS file contains a new certificate and researchers noted the malware offers little evidence into the the of targets its seeks to infect. Researchers said its used of geofencing signifies other possible unknowns possibly suggesting that there are other samples only distributed to a specific IP address range that may have been missed by researchers.