New Infostealer RisePro Is Distributed Through “Pirate” Sites

Flashpoint and Sekoia experts have discovered a new data-stealing malware, RisePro infostealer, which is distributed through sites with fake cracks.

These sites are built and managed using the pay-per-install (PPI) malware distribution service PrivateLoader.

یادآوری کنم که ما هم همین را نوشتیم اربیوم Infostealer تحت عنوان کرک ها و تقلب ها برای بازی ها پخش می شود, و همچنین آن Unusual YTStealer بدافزار یوتیوبرها را هدف قرار می دهد.

The media also reported that Meta Infostealer Malware Spread via Spam.

Flashpoint و Sekoia write that RisePro is a new threat focused on stealing bank card data, رمزهای عبور, and cryptocurrency wallet data from infected devices. The malware is distributed under the guise of key and crack generators for various software, as well as mods for games.

Loading on a malicious site

Flashpoint reports that malware operators have already begun selling thousands of RisePro logs (data collected from infected devices) on Russian-language marketplaces on the dark web.

Sekoia analysts say they have found significant similarities between PrivateLoader and RisePro code. They believe that the operators of the malware distribution platform have launched their own infostealer (for themselves or as a new service). RisePro is reportedly currently available for purchase via تلگرام.

RisePro is written in C++ and is probably built on the source code of another infostealer – Vidar, since it uses the same DLL dependency system.

After infection, the malware scans the compromised system, carefully examines the registry keys and saves the found data to a text file and takes a screenshot. As a result, the malware packs everything collected into a ZIP archive, and then sends the archive to the attackers’ سرور.

RisePro tries to steal a wide range of data from apps, browsers, cryptocurrency wallets and browser extensions:

1. Browsers: گوگل کروم, فایرفاکس, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot, CentBrowser, 7شروع کنید, ChomePlus , Iridium, Amigo, اپرا, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom.
2. Browser Extensions: Authenticator, MetaMask, Jaxx Liberty Extension, iWallet, BitAppWallet, SaturnWallet, GuildWallet, MewCx, Wombat, CloverWallet, NeoLine, RoninWallet, LiqualityWallet, EQUALWallet, Guarda, Coinbase, MathWallet, NiftyWallet, Yoroi, BinanceChainWallet, TronLink, Phantom, Oxygen, PaliWallet, PaliWallet, Bolt X, ForboleX, XDEFI Wallet, Maiar DeFi Wallet.
3. نرم افزار: اختلاف نظر, battle.net, Authy Desktop.
4. Cryptocurrency assets: بیت کوین, Dogecoin, Anoncoin, BBQCoin, BBQCoin, DashCore, Florincoin, Franko, Freicoin, GoldCoin (GLD), IOCoin, Infinitecoin, Ixcoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, Litecoin, reddcoin.

علاوه بر این, RisePro can scan folders in the file system looking for interesting data, such as receipts containing bank card information.

The researchers remind that the above-mentioned PrivateLoader is a pay-per-install malware distribution service that disguises malware as cracks, key generators, and game mods. در حقیقت, the attackers provide PrivateLoader operators with a sample of the malware they want to distribute, tell them what the targeting criteria are, and make the payment.

بعد از آن, PrivateLoader uses its network of fake and hacked sites to spread the resulting malware.

This service for hackers was discovered in the spring of 2022 توسط Intel471 specialists. Interestingly, until recently, PrivateLoader has been distributing only the popular infosealers RedLine و Raccoon (with rare exceptions).

Now that RisePro has added to its arsenal, Sekoia experts note that the new infostealer has the capabilities of a loader, and its code largely coincides with the code of the PrivateLoader itself. Similarities were seen in string obfuscation techniques, HTTP message obfuscation, and HTTP and port settings.

As a result, the researchers suggest that RisePro could have been developed by the same people behind PrivateLoader. Another theory says that RisePro is a new round of development of PrivateLoader itself or the “brainchild” of a former developer of the same hack group, who is now promoting his own PPI service.