A new information-stealing malware named ‘RisePro’ is being distributed through a fake crack site operated by PrivateLoader Pay Per Install (PPI) malware distribution service.
RisePro is designed to help attackers steal victims’ credit cards, passwords, and cryptographic wallets from infected devices.
The malware was discovered by Flashpoint and Sekoia analysts this week, confirming that RisePro is a previously undocumented information-stealing program distributed via fake software cracks and key generators. rice field.
Flashpoint reports that the attackers have already started selling thousands of RisePro logs (packages of data stolen from infected devices) on the Russian dark web marketplace.
Additionally, Sekoia found extensive code similarities between PrivateLoader and RisePro. This indicates that malware distribution platforms are now likely spreading their own information-stealing programs, either by themselves or as a service.
RisePro is now available for purchase via Telegram and also allows users to interact with developers and infected hosts (Telegram bots).
RisePro Details and Features
RisePro is a C++ malware that, according to Flashpoint, uses the same system of embedded DLL dependencies, so it may be based on the password-stealing malware Vidar.
Sekoia further explains that some RisePro samples have embedded DLLs, while in other samples the malware retrieves them from a C2 server via POST requests.
The infostealer first scans registry keys to fingerprint the compromised system, writes the stolen data to a text file, takes screenshots, puts everything together in a ZIP archive, and places the files on the attacker’s server. Send
RisePro attempts to steal various data from applications, browsers, crypto wallets, and browser extensions as shown below.
- Web browser: Google Chrome, Firefox, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot, CentBrowser, 7start, ChomePlus, Iridium, Amigo, Opera, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom.
- browser extension: Authenticator, MetaMask, Jaxx Liberty Extension, iWallet, BitAppWallet, SaturnWallet, GuildWallet, MewCx, Wombat, CloverWallet, NeoLine, RoninWallet, LiqualityWallet, EQUALWallet, Guarda, Coinbase, MathWallet, NiftyWallet, Yoroi, BinanceChainWallet, TronLink, Phantom, Oxygen, PaliWallet , PaliWallet, Bolt X, ForboleX, XDEFI wallet, Maiar DeFi wallet.
- software: Discord, battle.net, Authy Desktop.
- crypto assets: Bitcoin, Dogecoin, Anoncoin, BBQCoin, BBQCoin, DashCore, Florincoin, Franko, Freicoin, GoldCoin (GLD), IOCoin, Infinitecoin, Ixcoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, Litecoin, red coin.
In addition to the above, RisePro can scan filesystem folders to find interesting data such as receipts containing credit card information.
Link to PrivateLoader
PrivateLoader is a pay-per-install malware distribution service masquerading as software cracks, key generators, and game modifications.
Threat actors provide the PrivateLoader team with malware samples they wish to distribute, targeting criteria, and payment. The PrivateLoader team uses a network of fake her websites and hacked websites to distribute malware.
The service was first discovered by Intel471 in February 2022, but in May 2022 Trend Micro discovered that PrivateLoader was pushing a new Remote Access Trojan (RAT) named ‘NetDooka’. confirmed.
Until recently, PrivateLoader only distributed either RedLine or Raccoon. These two are common information-stealing programs.
With the addition of RisePro, Sekoia reports finding loader functionality in the new malware, also highlighting that this part of its code overlaps heavily with PrivateLoader’s.
Similarities include string obfuscation techniques, HTTP message obfuscation, and HTTP and port setup.
One possible scenario is that the same people behind PrivateLoader developed RisePro.
Another hypothesis is that RisePro is either an evolution of PrivateLoader or the creation of a rogue ex-developer who is now promoting a similar PPI service.
Based on the evidence gathered, Sequoia was unable to determine the exact link between the two projects.