18 February 19, 10:06
Quote:
We’re tracking a new cyberthreat that combines file formats to create a more versatile malware.
Authored by: Luigino Camastra, Jan Širmer, Adolf Středa and Lukáš Obrdlík
Since August 2018, we have been monitoring a new malware family we’re calling Rietspoof. Rietspoof is a new multi-stage malware that exhibits some very striking features and capabilities. When we began tracking Rietspoof, it was updated about once a month. However, in January 2019, we noticed the update cadence change to daily.
Rietspoof utilizes several stages, combining various file formats, to deliver a potentially more versatile malware. Our data suggests that the first stage was delivered through instant messaging clients, such as Skype or Messenger. It delivers a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage — a CAB file. The CAB file is expanded into an executable that is digitally signed with a valid signature, mostly using Comodo CA. The .exe installs a downloader in Stage 4.
What’s interesting to note, is that the third stage uses a simple TCP protocol to communicate with its C&C, whose IP address is hardcoded in the binary. The protocol is encrypted by AES in CBC mode. In one version we observed the key being derived from the initial handshake, and in a second version it was derived from a hard-coded string. In version two, the protocol not only supports its own protocol running over TCP, but it also tries to leverage HTTP/HTTPS requests. It is uncommon to see a C&C communication protocol being modified to such an extent, given the level of effort required to change the communication protocol. While it is common to change obfuscation methods, C&C communication usually remains relatively constant in most malware.
This downloader uses a homegrown protocol to retrieve another stage (Stage 4) from a hard-coded address. While Stage 3 protocol includes bot capabilities, Stage 4 acts as a designated downloader only.
Additionally, the C&C server communicates only with IP addresses set to USA which leads us to the hypothesis that we are working with a specifically targeted attack or the attackers are using the USA IP range only for testing reasons. And, it is possible that there are more stages that haven’t been revealed yet. Here are the results of our full analysis to date.