Pay-per-install (PPI) malware downloader services known as private loader It has been used to distribute previously documented information-stealing malware. rise pro.
Flashpoint discovered the newly identified stealer on December 13, 2022 after discovering “multiple log sets” stolen using malware in an illegal cybercrime marketplace called the Russian Market .
The C++-based malware, RisePro, is said to have similarities to another information-stealing malware called Vidar Stealer. Archay Introduced in 2018.
“The emergence of stealers as payloads for pay-per-install services may indicate that attackers are confident in their capabilities,” threat intelligence firm I got it Last week’s writing.
Cyber security company SEKOIA release proprietary analysis rise pro, and further identified partial source code overlaps with PrivateLoader . This includes string scrambling mechanisms, HTTP method and port setup, and HTTP message obfuscation methods.
PrivateLoader, as the name suggests, is a download service that allows subscribers to deliver malicious payloads to targeted hosts.
In the past, it has been used to deliver Vidar Stealer, RedLine Stealer, Amadey, DanaBot, NetDooka, and more, to pirated software hosted on decoy sites and compromised WordPress portals that appear prominently in search results. impersonated.
RisePro is unlike any other stealer in that it can steal a wide range of data from 36 web browsers, including cookies, passwords, credit cards, and cryptocurrency wallets, collect files of interest, and load more payloads. there is no.
It is sold on Telegram, and the malware developer has made the Telegram channel available as well. This allows criminals to interact with infected systems by providing an attacker-created bot ID and sending it to a remote server after a successful compromise.
Also part of the malware’s infrastructure is an admin panel hosted on a domain named my-rise.[.]cc allows access to stolen data logs, but only after signing into an account with a valid set of credentials.
It is not clear at this time whether RisePro is created by the same set of threat actors behind PrivateLoader and whether it is exclusively bundled together with PPI services.
“PrivateLoader is still active and comes with a set of new features,” said SEKOIA. “The similarities between Stealer and his PrivateLoader are compelling and provide additional insight into the spread of threat actors.”