December 26, 2022Rabbi LakshmananCyber ​​Crime / Data Security

Pay-per-install (PPI) malware downloader services known as private loader It has been used to distribute previously documented information-stealing malware. rise pro.

Flashpoint discovered the newly identified stealer on December 13, 2022 after discovering “multiple log sets” stolen using malware in an illegal cybercrime marketplace called the Russian Market .

The C++-based malware, RisePro, is said to have similarities to another information-stealing malware called Vidar Stealer. Archay Introduced in 2018.

cyber security

“The emergence of stealers as payloads for pay-per-install services may indicate that attackers are confident in their capabilities,” threat intelligence firm I got it Last week’s writing.

RisePro malware

Cyber ​​security company SEKOIA release proprietary analysis rise pro, and further identified partial source code overlaps with PrivateLoader . This includes string scrambling mechanisms, HTTP method and port setup, and HTTP message obfuscation methods.

PrivateLoader, as the name suggests, is a download service that allows subscribers to deliver malicious payloads to targeted hosts.

RisePro malware

In the past, it has been used to deliver Vidar Stealer, RedLine Stealer, Amadey, DanaBot, NetDooka, and more, to pirated software hosted on decoy sites and compromised WordPress portals that appear prominently in search results. impersonated.

RisePro is unlike any other stealer in that it can steal a wide range of data from 36 web browsers, including cookies, passwords, credit cards, and cryptocurrency wallets, collect files of interest, and load more payloads. there is no.

It is sold on Telegram, and the malware developer has made the Telegram channel available as well. This allows criminals to interact with infected systems by providing an attacker-created bot ID and sending it to a remote server after a successful compromise.

Also part of the malware’s infrastructure is an admin panel hosted on a domain named my-rise.[.]cc allows access to stolen data logs, but only after signing into an account with a valid set of credentials.

It is not clear at this time whether RisePro is created by the same set of threat actors behind PrivateLoader and whether it is exclusively bundled together with PPI services.

“PrivateLoader is still active and comes with a set of new features,” said SEKOIA. “The similarities between Stealer and his PrivateLoader are compelling and provide additional insight into the spread of threat actors.”

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog