Rietspoof malware (Virus Removal Guide) - Free Instructions

by Julie Splinters - - 2019-02-26 | Type: Malware

Rietspoof malware Removal Guide

Description Quick solution Instructions Prevention

What is Rietspoof malware?

Rietspoof is a sophisticated malware family that uses multi-stage infection technique and uploads several malicious payloads on the infected system

Rietspoof malware Rietspoof is a new malware strain that uses sophisticated multi-stage infection

Rietspoof malware is a reasonably new malware family that was first spotted by security firm Avast back in August 2018 but kept a relatively low profile until early 2019, when researchers noticed daily updates being applied to the threat.^[1] The virus uses a four-stage infection technique swapping between multiple file formats, and is known to be spread via communication applications such as Skype or Live Messenger. Once inside the system, Rietspoof malware gains persistence using sophisticated methods, connects to a remote Command & Control^[2] server, and uploads multiple malware strains, depending on which inputs it receives from hackers.

Name	Rietspoof
Type	Malware dropper, trojan
First spotted	August 2018
Related files	Windows SATA Device Manager, iSatSrv.exe,
Main functionality	Takes control over the system, downloads and installs other malware
Infiltration	Messaging apps
Elimination	Scan your computer with security software that can recognize the virus^[3]
Recovery	Use FortectIntego to recover from virus damage

As soon as a malicious payload is launched, Rietspoof virus begins the first stage of infection by downloading a Visual Basic Script (.vbs) which is obfuscated. The module includes a hard-coded and encrypted .cab file turns into an executable file which is digitally signed by Comodo CA.

Before proceeding to the last two stages, Rietspoof malware will ensure persistence by injecting a WindowsUpdate.lnk into the Windows startup folder, consequently reducing the detection rate of anti-malware software. Due to this functionality, users might not only struggle with Rietspoof malware removal but also its detection in the first place.

The third stage of Rietspoof infection will download and install a module that allows hackers to download and upload files, start or shut down processes on the host machine or use a self-destruct feature if needed. At this stage, malware connects to a C2 server which interacts with the device based on its location.

Researchers noted that in some cases Rietspoof does nothing at stage three, although it proceeded to stage four as soon as they swapped the virtual machines' IP to a location in the USA:

The C&C server also seems to have implemented basic geofencing based on IP address. We didn’t receive any “interesting” commands when we tried to communicate with it from our lab network; however, when we virtually moved our fake client to the USA, we received a command containing the next stage.

Rietspoof malware will then start the last stage which enables it acting as a malware downloader/dropper. Finally, the mentioned changes to the host machine can create a particularly dangerous situation to the user: Rietspoof virus will not show any signs or symptoms of infections and will operate in the background.

Therefore, it is important to have comprehensive security application installed at all times. After you remove Rietspoof malware from your device, scan it with FortectIntego to recover from the infection damage.

As mentioned by security experts who examined malware sample, the sophisticated threat like Rietspoof should not be ignored, as, looking at the intensive update procedures by authors, it is highly likely to be advanced even further in the near future.

Rietspoof malware is particularly dangerous cyber threat that does not emit any symptoms on the host machine

Bad actors often use communication apps to spread malware

Researchers believe that the threat is distributed via communication apps like Skype or Messenger. Nevertheless, it does not mean that criminals do not use other popular malware distribution methods, such as:

Malicious spam email attachments or hyperlinks;
Exploit kits;
Brute-force attacks;
Malvertising;
Phishing websites;
Fake updates, etc.

To avoid malware infections, you should be extremely attentive while using a computer which is connected to the internet (nowadays it is mostly all devices). It is vital to install and keep a security application at all times, and also use such protection tools like Firewall, ad-blocker, VPN, etc.

Additionally, updating your software and the operating system will save you from exploits that can be employed with the help of software vulnerabilities. Finally, do not open any executables that seem suspicious, downloaded from third-party or torrent sites.

Speaking of messaging apps again, be aware that suspicious links that are linked by unknown users are not the only source of malware. In case a user who is on your friend list got infected with a virus, it might be able to use his or her messaging apps to spread malicious links even further. Thus, before opening a single link (even if it comes from somebody you know) make sure the authors intended to send it to you. Also, you can use tools like Virus Total to scan suspicious URLs.

Remove Rietspoof malware from your computer with the help of reputable security software

As we mentioned above, Rietspoof virus might be difficult to detect due to its sophisticated obfuscation techniques. Nevertheless, reputable anti-malware software should be able to remove Rietspoof malware from your device. Before you attempt to do so, enter Safe Mode with Networking, as this is a safe environment where virus functionality should be temporarily disabled. You will find the instructions below the article.

Once Rietspoof malware removal is complete, you should take care of recovery. Don't forget that the threat can download and install all sorts of malware, so the effect on the operating system might be devastating. To fix the damage done by the virus, scan your PC with FortectIntego.

Offer

do it now!

Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee

Compatible with Microsoft Windows Compatible with macOS

What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.

Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.

Download SpyHunter 5 Review »

Malwarebytes

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Download Combo Cleaner Review »

Getting rid of Rietspoof malware. Follow these steps

Manual removal using Safe Mode

To remove Rietspoof malware from your computer safely, enter Safe Mode with Networking as explained below:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment.

Windows 7 / Vista / XP

Click Start > Shutdown > Restart > OK.
When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

Right-click on Start button and select Settings.
Scroll down to pick Update & Security.
On the left side of the window, pick Recovery.
Now scroll down to find Advanced Startup section.
Click Restart now.
Select Troubleshoot.
Go to Advanced options.
Select Startup Settings.
Press Restart.
Now press 5 or click 5) Enable Safe Mode with Networking.

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Click on More details.
Scroll down to Background processes section, and look for anything suspicious.
Right-click and select Open file location.
Go back to the process, right-click and pick End Task.
Delete the contents of the malicious folder.

Step 3. Check program Startup

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Go to Startup tab.
Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

Type in Disk Cleanup in Windows search and press Enter.
Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
Scroll through the Files to delete list and select the following:

Temporary Internet Files
Downloads
Recycle Bin
Temporary files
Pick Clean up system files.
You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

After you are finished, reboot the PC in normal mode.

Remove Rietspoof malware using System Restore

Use System Restore to stop malware:

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Rietspoof malware. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Rietspoof malware removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Rietspoof malware and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting malware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.

About the author

Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References

^ Luigino Camastra, Jan Širmer, Adolf Středa and Lukáš Obrdlík. Spoofing in the reeds with Rietspoof. Avast. Security blog.
^ Command and control. Wikipedia. The Free Encyclopedia.
^ f5c4782591675cd51ac3cdfd1bc719d576b7b98d529cf281b706d94fd1916c96. Virus Total. File and URL analyzer.