Jan Sirmer (Avast Software)
Luigino Camastra (Avast software)
Adolf Středa (Avast software)
Since August 2018, we have been monitoring a new malware family, which we have named Rietspoof. Rietspoof is a new multi-stage malware that utilises different file types throughout its infection chain. It contains several types of stages - both extractors and downloaders; the third stage also contains support for remote-control commands. When we began tracking Rietspoof, it was updated approximately once a month. However, in January 2019, we noticed that the update cadence increased to daily updates.
We will share a detailed analysis of each stage, starting from the initial Microsoft Word document, serving as stage one. This stage is followed by a rather interestingly built and obfuscated Visual Basic Script leading to executable files serving as both bots and downloaders. We will describe all relevant parts of the Visual Basic Script, ranging from unusual anti-behaviour detections tricks used in the VBS to the function which led us to the next stage, which is a CAB file dropped from the VBS.
The third stage is an executable file expanded from the CAB file. This executable file is digitally signed by a valid certificate, mostly using Comodo CA. At the end of February, we found samples with different behaviour, where a new VBS file with bot capabilities was dropped from the CAB file. The third stage serves as a bot that also supports a downloader functionality. During our investigation, we noticed that the malware author was constantly modifying all the stages. We distilled these changes into a detailed timeline, where we can observe a lot of changes in the whole concept of this malware family, ranging from a reworked C&C communication to a completely rewritten second stage.
In the fourth stage, the malware author used an interesting dropper technique to deploy fileless malware downloaded from the C&C server. The fourth stage utilised the NTLM protocol to provide authentication and encryption of its communication with the C&C server.
It is not common to see a C&C communication protocol being modified to such an extent, given the level of effort required to change the communication protocol. Similarly, we rarely see a feature regression in the malware - we observed that the obfuscation of strings was removed in later versions of the third stage. Again, we will look at these changes in detail along with the underlying protocols.
Although we are monitoring Rietspoof very carefully, our hypothesis is that its authors are still developing this malware and because of this, we only have testing samples.
Jan Sirmer is a malware analysis team lead at Avast. His main specialization is analysing malicious Java threats, Android applications and exploits, macro viruses, web-based malware and other non-executable malware. During the course of his career, Jan has authored blog posts about phishing threats, malicious web exploits and Android threats. In the past, he has presented his research at AVAR, Botconf, FIRST, RSA, Virus Bulletin and WebExpo.
Luigino Camastra is a malware researcher at Avast. His main specialization is the reverse engineering of PE files, identifying malware families, and writing detection rules. He is mainly interested in researching new malware families. Currently, he is a Master's degree student at the Faculty of Information Technology at Czech Technical University with a specialization in IT security. So far, he has presented his research at APWG.
Adolf Středa is a reverse engineer at Avast. He specializes in botnets, more specifically botnet communication analysis and information extraction. He is also a Ph.D. student at the Faculty of Mathematics and Physics of the Charles University in Prague, Czech Republic, specializing in cryptography. So far, he has presented his research at SantaCrypt, AVAR, Botconf and Virus Bulletin.
Nacho Sanmillan (Intezer)
Righard Zwienenberg (ESET)
Eddy Willems (G DATA)
Daniel Lunghi (Trend Micro)
Jaromir Horejsi (Trend Micro)