Flashpoint and Sekoia experts have discovered a new data-stealing malware, RisePro infostealer, which is distributed through sites with fake cracks.
These sites are built and managed using the pay-per-install (PPI) malware distribution service PrivateLoader.
우리도 그렇게 썼다는 것을 상기시켜 드리겠습니다. 에르븀 Infostealer는 게임의 균열 및 치트를 가장하여 확산되고 있습니다., 그리고 그것도 Unusual YTStealer 유튜버를 표적으로 삼는 악성코드.
The media also reported that Meta Infostealer Malware Spread via Spam.
Flashpoint 그리고 Sekoia write that RisePro is a new threat focused on stealing bank card data, 비밀번호, and cryptocurrency wallet data from infected devices. The malware is distributed under the guise of key and crack generators for various software, as well as mods for games.
Loading on a malicious site
Flashpoint reports that malware operators have already begun selling thousands of RisePro logs (data collected from infected devices) on Russian-language marketplaces on the dark web.
Sekoia analysts say they have found significant similarities between PrivateLoader and RisePro code. They believe that the operators of the malware distribution platform have launched their own infostealer (for themselves or as a new service). RisePro is reportedly currently available for purchase via 전보.
RisePro is written in C++ and is probably built on the source code of another infostealer – Vidar, since it uses the same DLL dependency system.
After infection, the malware scans the compromised system, carefully examines the registry keys and saves the found data to a text file and takes a screenshot. 결과적으로, the malware packs everything collected into a ZIP archive, and then sends the archive to the attackers’ 섬기는 사람.
RisePro tries to steal a wide range of data from apps, browsers, cryptocurrency wallets and browser extensions:
- Browsers: 구글 크롬, 파이어폭스, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, 토치, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, 크롬, Elements, 비발디, Chedot, CentBrowser, 7시작, ChomePlus , Iridium, Amigo, 오페라, 용감한, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom.
- Browser Extensions: Authenticator, MetaMask, Jaxx Liberty Extension, iWallet, BitAppWallet, SaturnWallet, GuildWallet, MewCx, Wombat, CloverWallet, NeoLine, RoninWallet, LiqualityWallet, EQUALWallet, Guarda, Coinbase, MathWallet, NiftyWallet, Yoroi, BinanceChainWallet, TronLink, Phantom, Oxygen, PaliWallet, PaliWallet, Bolt X, ForboleX, XDEFI Wallet, Maiar DeFi Wallet.
- 소프트웨어: 불화, battle.net, Authy Desktop.
- Cryptocurrency assets: Bitcoin, Dogecoin, Anoncoin, BBQCoin, BBQCoin, DashCore, Florincoin, Franko, Freicoin, GoldCoin (GLD), IOCoin, Infinitecoin, Ixcoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, Litecoin, reddcoin.
게다가, RisePro can scan folders in the file system looking for interesting data, such as receipts containing bank card information.
The researchers remind that the above-mentioned PrivateLoader is a pay-per-install malware distribution service that disguises malware as cracks, key generators, and game mods. 사실은, the attackers provide PrivateLoader operators with a sample of the malware they want to distribute, tell them what the targeting criteria are, and make the payment.
이후, PrivateLoader uses its network of fake and hacked sites to spread the resulting malware.
This service for hackers was discovered in the spring of 2022 ~에 의해 Intel471 전문가. 재미있게, until recently, PrivateLoader has been distributing only the popular infosealers RedLine 그리고 Raccoon (with rare exceptions).
Now that RisePro has added to its arsenal, Sekoia experts note that the new infostealer has the capabilities of a loader, and its code largely coincides with the code of the PrivateLoader itself. Similarities were seen in string obfuscation techniques, HTTP message obfuscation, and HTTP and port settings.
결과적으로, the researchers suggest that RisePro could have been developed by the same people behind PrivateLoader. Another theory says that RisePro is a new round of development of PrivateLoader itself or the “brainchild” of a former developer of the same hack group, who is now promoting his own PPI service.
코멘트를 남겨주세요