Stealer

A new information-stealing malware named ‘RisePro’ is being distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service.

RisePro is designed to help attackers steal victims’ credit cards, passwords, and crypto wallets from infected devices.

The malware was spotted by analysts at Flashpoint and Sekoia this week, with both cybersecurity firms confirming that RisePro is a previously undocumented information stealer now being distributed via fake software cracks and key generators.

Flashpoint reports that threat actors have already begun to sell thousands of RisePro logs (packages of data stolen from infected devices) on Russian dark web markets.

Additionally, Sekoia discovered extensive code similarities between PrivateLoader and RisePro, indicating that the malware distribution platform is likely now spreading its own information-stealer, either for itself or as a service.

Currently, RisePro is available for purchase via Telegram, where users can also interact with the developer and the infected hosts (Telegram bot).

The RisePro C2 panel
The RisePro C2 panel (Sekoia)

RisePro details and capabilities

RisePro is a C++ malware that, according to Flashpoint, might be based on the Vidar password-stealing malware, as it uses the same system of embedded DLL dependencies.

DLLs dropped in the malware's working directory
DLLs dropped in the malware's working directory (Flashpoint)

Sekoia further explains that some samples of RisePro embed the DLLs, while in others, the malware fetches them from the C2 server via POST requests.

The info-stealer first fingerprints the compromised system by scrutinizing registry keys, writes stolen data to a text file, takes a screenshot, bundles everything in a ZIP archive, and then sends the file to the attacker's server.

RisePro attempts to steal a wide variety of data  from applications, browsers, crypto wallets, and browser extensions, as listed below:

  • Web browsers: Google Chrome, Firefox, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot, CentBrowser, 7start, ChomePlus, Iridium, Amigo, Opera, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom.
  • Browser extensions: Authenticator, MetaMask, Jaxx Liberty Extension, iWallet, BitAppWallet, SaturnWallet, GuildWallet, MewCx, Wombat, CloverWallet, NeoLine, RoninWallet, LiqualityWallet, EQUALWallet, Guarda, Coinbase, MathWallet, NiftyWallet, Yoroi, BinanceChainWallet, TronLink, Phantom, Oxygen, PaliWallet, PaliWallet, Bolt X, ForboleX, XDEFI Wallet, Maiar DeFi Wallet.
  • Software: Discord, battle.net, Authy Desktop.
  • Cryptocurrency assets: Bitcoin, Dogecoin, Anoncoin, BBQCoin, BBQCoin, DashCore, Florincoin, Franko, Freicoin, GoldCoin (GLD), IOCoin, Infinitecoin, Ixcoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, Litecoin, Reddcoin.

In addition to the above, RisePro can scan filesystem folders for interesting data like receipts containing credit card information.

Link to PrivateLoader

PrivateLoader is a pay-per-install malware distribution service disguised as software cracks, key generators, and game modifications.

Threat actors provide the malware sample they wish to distribute, targeting criteria, and payment to the PrivateLoader team, who then uses their network of fake and hacked websites to distribute malware.

The service was first spotted by Intel471 in February 2022, while in May 2022, Trend Micro observed PrivateLoader pushing a new remote access trojan (RAT) named ‘NetDooka.’

Until recently, PrivateLoader distributed almost exclusively either RedLine or Raccoon, two popular information stealers.

With the addition of RisePro, Sekoia now reports finding loader capabilities in the new malware, also highlighting that this part of its code has extensive overlaps with that of PrivateLoader.

The similarities include the strings obfuscation technique, the HTTP message obfuscation, and the HTTP and port setup.

Code similarity of 30% in HTTP port setup
Code similarity of 30% in HTTP port setup (Sekoia)

One likely scenario is that the same people behind PrivateLoader developed RisePro.

Another hypothesis is that RisePro is the evolution of PrivateLoader or the creation of a rogue former developer who now promotes a similar PPI service.

Based on the collected evidence, Sekoia couldn’t determine the exact connection between the two projects.

Related Articles:

New Unfurling Hemlock threat actor floods systems with malware

Fake Google Chrome errors trick you into running malicious PowerShell scripts

Police seize over 100 malware loader servers, arrest four cybercriminals

Snowblind malware abuses Android security feature to bypass security

New Medusa malware variants target Android users in seven countries