Flashpoint and Sekoia experts have discovered a new data-stealing malware, RisePro infostealer, which is distributed through sites with fake cracks.
These sites are built and managed using the pay-per-install (PPI) malware distribution service PrivateLoader.
让我提醒你,我们也写过 铒 Infostealer 正在以游戏破解和作弊为幌子进行传播, 还有那个 Unusual YTStealer 恶意软件针对 YouTuber.
The media also reported that Meta Infostealer Malware Spread via Spam.
Flashpoint 和 Sekoia write that RisePro is a new threat focused on stealing bank card data, passwords, and cryptocurrency wallet data from infected devices. The malware is distributed under the guise of key and crack generators for various software, as well as mods for games.
Loading on a malicious site
Flashpoint reports that malware operators have already begun selling thousands of RisePro logs (data collected from infected devices) on Russian-language marketplaces on the dark web.
Sekoia analysts say they have found significant similarities between PrivateLoader and RisePro code. They believe that the operators of the malware distribution platform have launched their own infostealer (for themselves or as a new service). RisePro is reportedly currently available for purchase via 电报.
RisePro is written in C++ and is probably built on the source code of another infostealer – Vidar, since it uses the same DLL dependency system.
After infection, the malware scans the compromised system, carefully examines the registry keys and saves the found data to a text file and takes a screenshot. 因此, the malware packs everything collected into a ZIP archive, and then sends the archive to the attackers’ 服务器.
RisePro tries to steal a wide range of data from apps, browsers, cryptocurrency wallets and browser extensions:
- Browsers: 谷歌浏览器, 火狐浏览器, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot, CentBrowser, 7开始, ChomePlus , Iridium, Amigo, 歌剧, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom.
- Browser Extensions: Authenticator, MetaMask, Jaxx Liberty Extension, iWallet, BitAppWallet, SaturnWallet, GuildWallet, MewCx, Wombat, CloverWallet, NeoLine, RoninWallet, LiqualityWallet, EQUALWallet, Guarda, Coinbase, MathWallet, NiftyWallet, Yoroi, BinanceChainWallet, TronLink, Phantom, Oxygen, PaliWallet, PaliWallet, Bolt X, ForboleX, XDEFI Wallet, Maiar DeFi Wallet.
- Software: 不和谐, battle.net, Authy Desktop.
- Cryptocurrency assets: Bitcoin, Dogecoin, Anoncoin, BBQCoin, BBQCoin, DashCore, Florincoin, Franko, Freicoin, GoldCoin (GLD), IOCoin, Infinitecoin, Ixcoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, Litecoin, reddcoin.
此外, RisePro can scan folders in the file system looking for interesting data, such as receipts containing bank card information.
The researchers remind that the above-mentioned PrivateLoader is a pay-per-install malware distribution service that disguises malware as cracks, key generators, and game mods. 实际上, the attackers provide PrivateLoader operators with a sample of the malware they want to distribute, tell them what the targeting criteria are, and make the payment.
在那之后, PrivateLoader uses its network of fake and hacked sites to spread the resulting malware.
This service for hackers was discovered in the spring of 2022 经过 Intel471 specialists. Interestingly, until recently, PrivateLoader has been distributing only the popular infosealers RedLine 和 Raccoon (with rare exceptions).
Now that RisePro has added to its arsenal, Sekoia experts note that the new infostealer has the capabilities of a loader, and its code largely coincides with the code of the PrivateLoader itself. Similarities were seen in string obfuscation techniques, HTTP message obfuscation, and HTTP and port settings.
因此, the researchers suggest that RisePro could have been developed by the same people behind PrivateLoader. Another theory says that RisePro is a new round of development of PrivateLoader itself or the “brainchild” of a former developer of the same hack group, who is now promoting his own PPI service.
发表评论