Rietspoof

Rietspoof is a Trojan downloader that receives commands from a remote attacker for downloading and running additional files. As a result, the Rietspoof infections always come with the implication of the presence of spyware, rootkits and other, high-level threats. The victims should terminate their network connections for halting the Trojan's operations before disinfecting the PC with their preferred anti-malware product.

More than Just a Spoof of a Security Problem

A Trojan downloader that began attacking the public last year is sparking a renewed investigation, due to changes in its campaign's infrastructure and a sudden uptick in its infection rates. Rietspoof is making a name for itself among threats of its kind for the dedication its programmers are showing towards its Command & Control infrastructure, which has made sharp leaps in development between versions. For anyone compromised by it, the overriding security concern of Rietspoof is the possibility of its downloading other threats.

Rietspoof spreads through both stand-alone messaging clients, such as Skype, as well as social network-embedded ones, like Facebook's Messenger. Although the Trojan only accepts commands from a United States-based network IP address, there are no signs of its infection exploits being specific to that or any other region. Additionally, malware experts are confirming Rietspoof's receiving increasing updates daily, which could render some details of its payload out-of-date quickly.

The initial stage out of four distinct ones involves abusing Visual Basic Script files with their identity obfuscated by digital certificates. The VBS loaders include separate options for dropping Rietspoof onto Windows PCs, depending on whether the logged-in account has admin privileges or lacks them. However, Rietspoof's body doesn't appear until a third stage. At that point, Rietspoof can:

• Rietspoof may download other files, such as, most commonly, a backdoor Trojan that gives the criminals control over your PC, or spyware that collects information, such as the Astaroth Trojan.
• Rietspoof may launch processes automatically.
• Rietspoof may self-terminate, or stop running and uninstall itself as a means of hiding the evidence of the attack. This feature does not remove any other threats that Rietspoof might install necessarily.
• Rietspoof may upload files from the PC to a criminal's server.

Getting Your Security Right against a Rietspoof Attack

The users should be watchful for attacks matching Rietspoof's infection vectors, such as messages from compromised or unknown accounts that are providing Web links. Rietspoof is designed for running without the user's notice and includes conventional 'stealth' features like networking and string obfuscation, along with misleading digital signatures. Any other threats that Rietspoof drops may or may not provide any symptoms of their own for alerting users.

Disabling network connectivity is critical to dealing with Rietspoof infections particularly, which can continue receiving commands, downloading files and uploading data in the background. Most professional anti-malware products should be capable of detecting and deleting this threat automatically, before it installs itself, regardless of the previously-noted self-defenses. After having your anti-malware program delete Rietspoof and any related threats, you should consider changing passwords and other information that its threat actors could have had an opportunity for collecting in the interim.

The extremity of Rietspoof's update scheduling is praiseworthy, from the point-of-view of the malware industry. For those who are luckless enough to be on the other side of them, this devotion means little more than worse and more frequent attacks against their computers.