Avast security researchers have discovered a new malware called Rietspoof. The malware spreads via instant messaging applications such as Facebook Messenger and Skype.
A report released over the weekend describes the new threat as "multi-stage malware" first detected in August 2018 but ignored until a significant increase in distribution efforts was observed last month.
Rietspoof's main role is to infect victims, and then download more malware, depending on the commands it receives from a central control server (C&C).
Immediately after downloading the malware it places an LNK (shortcut) file in the Windows / Startup folder. This is a process that most antivirus products follow, but Avast says Rietspoof has been legally certified, allowing malware to bypass security checks.
The infection consists of four different stages which are described in more detail in the Avast publication here.. The actual Rietspoof malware appears in the third stage, while the last stage downloads more powerful malware.
Rietspoof is malware that security researchers call a "dropper" or "downloader", a type of malware designed with the sole purpose of infecting its victims with "something more powerful".
It can download, run, upload and delete files and in case of emergency, it can even delete itself.
Avast says that since addressing this new threat, the malware has changed its C&C communication protocol and made many small changes, leading researchers to believe that it is still in active development.
"Our investigation cannot confirm whether we have uncovered the entire infection chain," researchers said on Saturday.
Rietspoof is the second "dropper / downloader" of malware that has been active in recent months. Another is called Vidar, and is used by criminals to distribute ransomware and stealers. An analysis of the Vidar malware is available here.