This multi-stage malware could infect your device

HYDERABAD: Security researchers have discovered a new malware that can drop more than a single payload, infect devices, and successfully bypass most antivirus software. Reports of attacks by this ‘multi-stage’ software, named Reitspoof, have increased in number since January 2019.

Reitspoof was discovered by researchers at Avast. Researchers note that it “..utilises several stages, combining various file formats, to deliver a potentially more versatile malware.” It was also noted that though the malware has the capability of running a bot attack, it was primarily designed to run as a dropper. While a malicious bot is a self-propagating malware, a dropper is a virus that is designed to install malware.

Researchers found that in the first stage of the attack, the malware was delivered through Skype or Live Messenger. The file comes written in Visual Basic Script, a programming language developed by Microsoft. In the second stage, it transforms into a CAB file, which is hard-coded and encrypted. A CAB file is a Windows Cabinet file, a type that stores installation data. 

In the third stage, the CAB file transforms into an executable (.exe extension) file, which then installs a downloader in stage 4. And throughout these four stages, the malware sends necessary information to the hacker that deployed it so that he may monitor its progress.

The report says that the malware uses a simple TCP protocol, a method used to establish network conversations to communicate with a command-and-control server. A C&C server is a computer controlled by an attacker which is used to send commands to compromised systems. The report said, “While the data on Rietspoof is extensive, motives and modus operandi are still unknown. The malware-infected files are rarely being detected by most antivirus software.”