Rietspoof is a sophisticated malware family that uses multi-stage infection technique and uploads several malicious payloads on the infected system

Rietspoof malware is a reasonably new malware family that was first spotted by security firm Avast back in August 2018 but kept a relatively low profile until early 2019, when researchers noticed daily updates being applied to the threat.[1] The virus uses a four-stage infection technique swapping between multiple file formats, and is known to be spread via communication applications such as Skype or Live Messenger. Once inside the system, Rietspoof malware gains persistence using sophisticated methods, connects to a remote Command & Control[2] server, and uploads multiple malware strains, depending on which inputs it receives from hackers.
| Name | Rietspoof |
| Type | Malware dropper, trojan |
| First spotted | August 2018 |
| Related files | Windows SATA Device Manager, iSatSrv.exe, |
| Main functionality | Takes control over the system, downloads and installs other malware |
| Infiltration | Messaging apps |
| Elimination | Scan your computer with security software that can recognize the virus[3] |
| Recovery | Use FortectIntego to recover from virus damage |
As soon as a malicious payload is launched, Rietspoof virus begins the first stage of infection by downloading a Visual Basic Script (.vbs) which is obfuscated. The module includes a hard-coded and encrypted .cab file turns into an executable file which is digitally signed by Comodo CA.
Before proceeding to the last two stages, Rietspoof malware will ensure persistence by injecting a WindowsUpdate.lnk into the Windows startup folder, consequently reducing the detection rate of anti-malware software. Due to this functionality, users might not only struggle with Rietspoof malware removal but also its detection in the first place.
The third stage of Rietspoof infection will download and install a module that allows hackers to download and upload files, start or shut down processes on the host machine or use a self-destruct feature if needed. At this stage, malware connects to a C2 server which interacts with the device based on its location.
Researchers noted that in some cases Rietspoof does nothing at stage three, although it proceeded to stage four as soon as they swapped the virtual machines' IP to a location in the USA:
The C&C server also seems to have implemented basic geofencing based on IP address. We didn’t receive any “interesting” commands when we tried to communicate with it from our lab network; however, when we virtually moved our fake client to the USA, we received a command containing the next stage.
Rietspoof malware will then start the last stage which enables it acting as a malware downloader/dropper. Finally, the mentioned changes to the host machine can create a particularly dangerous situation to the user: Rietspoof virus will not show any signs or symptoms of infections and will operate in the background.
Therefore, it is important to have comprehensive security application installed at all times. After you remove Rietspoof malware from your device, scan it with FortectIntego to recover from the infection damage.
As mentioned by security experts who examined malware sample, the sophisticated threat like Rietspoof should not be ignored, as, looking at the intensive update procedures by authors, it is highly likely to be advanced even further in the near future.

Bad actors often use communication apps to spread malware
Researchers believe that the threat is distributed via communication apps like Skype or Messenger. Nevertheless, it does not mean that criminals do not use other popular malware distribution methods, such as:
- Malicious spam email attachments or hyperlinks;
- Exploit kits;
- Brute-force attacks;
- Malvertising;
- Phishing websites;
- Fake updates, etc.
To avoid malware infections, you should be extremely attentive while using a computer which is connected to the internet (nowadays it is mostly all devices). It is vital to install and keep a security application at all times, and also use such protection tools like Firewall, ad-blocker, VPN, etc.
Additionally, updating your software and the operating system will save you from exploits that can be employed with the help of software vulnerabilities. Finally, do not open any executables that seem suspicious, downloaded from third-party or torrent sites.
Speaking of messaging apps again, be aware that suspicious links that are linked by unknown users are not the only source of malware. In case a user who is on your friend list got infected with a virus, it might be able to use his or her messaging apps to spread malicious links even further. Thus, before opening a single link (even if it comes from somebody you know) make sure the authors intended to send it to you. Also, you can use tools like Virus Total to scan suspicious URLs.
Remove Rietspoof malware from your computer with the help of reputable security software
As we mentioned above, Rietspoof virus might be difficult to detect due to its sophisticated obfuscation techniques. Nevertheless, reputable anti-malware software should be able to remove Rietspoof malware from your device. Before you attempt to do so, enter Safe Mode with Networking, as this is a safe environment where virus functionality should be temporarily disabled. You will find the instructions below the article.
Once Rietspoof malware removal is complete, you should take care of recovery. Don't forget that the threat can download and install all sorts of malware, so the effect on the operating system might be devastating. To fix the damage done by the virus, scan your PC with FortectIntego.
Was this guide helpful?
Be the first to comment