A recently identified information stealer named ‘RisePro’ is being distributed by pay-per-install malware downloader service ‘PrivateLoader’, cyber threat investigators reported. RisePro, a new malware, was recently observed on a dark web forum run by Russian cybercriminals. Since 13 December 2022, the virus has been offered for sale as a log credential stealer on underground forums, leading many to believe it is a clone of the Vidar Stealer. RisePro was featured on a Russian Market cybercrime marketplace, where cybercriminals upload and sell logs exfiltrated using stealers.
Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs. The malware appears to be based on Vidar stealer, which has been analyzed several times.[1]
See: https://redskyalliance.org/xindustry/malware-as-a-service-now-offers-pay-per-install
A feature of the Arkei stealer itself, Vidar is known for downloading a series of dependencies and configuration settings from its command-and-control (C&C) server. The infostealer was cracked in 2018, and several clones, including the ‘Oski’ and ‘Mars’ stealers, were seen in the past.
See: https://redskyalliance.org/xindustry/weekly-cyber-intel-report-all-sector-08-19-2022
RisePro, too was seen using dropped dynamic link library (DLL) dependencies that Vidar uses, and the malware’s analysis suggests that it is very likely a clone of Vidar. However, RisePro also shows similarities with other information stealers being offered. Russian Market lists over 2,000 logs supposedly exfiltrated using RisePro, which may indicate that the information stealer is gaining popularity among cybercriminals. Pay-per-install services allow threat actors to buy the ability to have their malicious payloads downloaded onto infected systems. Investigators have observed advertisements for this service on cybercriminal forums and Telegram, which threat actors typically use to provide customer support.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-among-cybercriminals
Comments