RisePro is an information-stealing malware that was first discovered in mid-December 2022. The earliest log recording from this malware, as of the time of this writing, was December 12th, 2022. The logs found were posted to Russian Market, which is a log shop that is like other markets, such as Genesis. There appeared to be multiple thousands of logs posted [2]. RisePro appears to be written in C++ and acts similarly to the “Vidar” malware. According to a Joe Sandbox analysis, RisePro exhibits similar behaviors to other information-stealing malware. RisePro utilizes many of the same DLL dependencies used by Vidar, which itself was a fork of an information-stealing malware known as “Arkei” [2, 3].
RisePro hunts down cookies, saved passwords, saved credit card information, crypto wallets, and other software credentials, in addition to taking screenshots of infected machines. More specifically, it can search browsers like Chrome and Firefox, a wide variety of “wallet” type browser extensions, desktop applications like Discord and Battle.net, and can even scan the filesystem for specific data patterns, such as data matching potential credit card recipts. In terms of distribution, it has been confirmed by both Flashpoint and Sekoia that RisePro is being distributed in the form of fake software cracks and key generators [1]. This fact is likely connected to RisePro’s association with PPI distribution.
Pay-per-install malware services, or PPI, are a way for cybercriminals to monetize the installation of malware. In other words, if a cybercriminal has the capability for a building a network of infected machines, then they can also sell access to those machines [5]. One might purchase access to infected machines for a variety of purposes, such as performing DDOS attacks, cryptocurrency mining, or information stealing [5].
As we have discussed in previous reports, smaller malware authors may not have the resources or bandwidth to distribute malicious software in large-scale, so PPI is an option for them to rely on a network of affiliates and endeavor to have their software installed on the network’s victims’ machines [6]. A PPI network will generally monitor the number of machines they have on their network along with machine specifications. This will be achieved using a “loader” during the infection process, which is a module that allows for both tracking and additional payloads to be installed on the machine [5].
The PrivateLoader service comes up often when discussing PPI services. In addition to its suspiciously overlapping feature set with RisePro, it has also been connected to a number of other malware in the past, such as the Vidar Stealer, RedLine Stealer, Amadey, DanaBot, NetDooka, among many others [7]. PrivateLoader is a PPI loader that is written in C++. Its primary functions include downloading and deploying additional malware payloads onto already infected machines [6]. PrivateLoader operates as three modules. The first module is a primary module for loading the Core module, the Core module is for contacting command-and-control, and the third module is a Service module for maintaining persistence [9].
Interestingly, an analysis or PrivateLoader has revealed a number of feature overlaps with RisePro, such as, string scrambling, HTTP port setup, and HTTP message obfuscation [7]. In general, the core module of PrivateLoader employs a number of techniques, such as stack string obfuscation, host fingerprinting, payload downloading over HTTPS, along with anti-analysis and defense impairment techniques [9]. A variety of malware has been seen to be delivered by PrivateLoader, such as SmokeLoader, RedLine, Vidar, Raccoon, and GCleaner. Additionally, PrivateLoader may have been in use since at least May of 2021 [8].
As we have discussed in previous reports, PrivateLoader is primarily distributed through a network of bait websites that are SEO-optimized, targeting users looking for pirated software, cracks, or keyloggers. These bait sites entice users and attempt to have them download the PrivateLoader payload in a ZIP file. It also offers robust administrative features to its customers, such as adding users, modifying geolocation targeting, and load file encryption options [6, 8].
In summary, RisePro is a fairly recent information stealing malware. It was discovered in mid-December 2022 via a collection of logs posted to Russian markets. It is written in C++, acts similarly to the previously known Vidar information stealer, and exhibits behaviors one should expect of an information stealer like hunting down saved passwords and credit card information. A pay-per-install service, or PPI, involves maintaining a large group of infected machines such that “install” services can be offered to threat actor clients seeking to have their malicious software installed on a large number of machines. PrivateLoader is a well-known PPI that comes up quite often when discussing these kinds of services. PrivateLoader is a PPI loader written in C++ and is used for deploying malicious payloads on infected Windows machines. It is associated with many malware operations, and it has seemingly been in use since at least May of 2021.
[2]: https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/
[3]: https://www.joesandbox.com/analysis/654580/0/pdf
[4]: https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/
[5]: https://www.techrepublic.com/article/pay-per-install-services/
[6]: https://redskyalliance.org/xindustry/malware-as-a-service-now-offers-pay-per-install
[7]: https://thehackernews.com/2022/12/privateloader-ppi-service-found.html
[8]: https://thehackernews.com/2022/02/several-malware-families-using-pay-per.html
[9]: https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments