Update: September 5, 2023
After Flashpoint reported on RisePro in December 2022, its operations appeared to go quiet.
But on July 4, 2023, RisePro made a comeback when it appeared for sale on a mid-tier forum. The seller claimed in their ads that they have taken the best aspects of “Redline” and “Vidar” to make a powerful stealer.
And this time, the seller also promises a new advantage for users of RisePro: customers host their own panels to ensure logs are not stolen by the sellers.
Flashpoint has found that although the RisePro seller wrote that customers host panels themselves, the panel must communicate with the seller’s infrastructure to generate builds and update subscription access. This means it may still be possible for the developers to steal or scrape logs from customer servers.
Pay to play
Currently RisePro offers several subscription offers for access to their builder, where price depends on the length of access to the stealer. In a new sample obtained by Flashpoint, RisePro appears to have been changed or modified to more similarly match the malware “PrivateLoader,” the pay-per-install malware downloader service that previously dropped RisePro.
After RisePro was newly posted for sale in July, analysts observed an increase in users posting RisePro logs for sale on Russian Market.
RisePro also operates a public Telegram channel for news and updates, and an invitation-only chat for customers that includes customer discussions and free downloads of panel updates.
Active panels
Flashpoint has identified the following command and control (C2) panels that have been active in the last two months:
- 168[.]100[.]10[.]122
- 5[.]42[.]79[.]238
- 95[.]214[.]25[.]231
- 45[.]15[.]159[.]248
- 185[.]173[.]38[.]198
- 194[.]169[.]175[.]128
- 79[.]110[.]49[.]141
- 38[.]47[.]220[.]202
- 194[.]169[.]175[.]128
Changes and updates to RisePro
Flashpoint compared new versions of RisePro to a sample initially identified in December 2022 to look for significant differences.
- December 2022 sample hash: d9445561cef089271565e3fe54b8da7aff3ecfe73506762ffcdaedc3615180ba
- August 2023 sample hash: 7f1f5370c9c34dd4c5092e14c2b1327b6630b3da31396239e87c47c1f73897d0
RisePro logs on Russian Market
“RisePro” is a newly identified stealer written in C++ that appears to possess similar functionality to the stealer malware “Vidar.” RisePro targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs.
Flashpoint first identified RisePro on December 13, 2022 after analysts identified several sets of logs uploaded to the illicit underground market Russian Market, which listed their source as “risepro.”
Russian Market is a log shop similar to other log markets, such as Genesis, in which threat actors can upload and sell logs collected from stealers. At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.
We have identified malicious samples that appear to be related to RisePro based on identifying strings in the samples. During investigations of open source intelligence, such as open source sandbox analyses from other security researchers, our analysts identified several samples of RisePro that were dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader.”
PrivateLoader allows threat actors to buy the ability to have it download malicious payloads onto infected systems. Pay-per-install services are not a novel business model for threat actors operating botnets. Flashpoint analysts have observed advertisements of these types of services in the past on forums and within Telegram, which is commonly used by these stealers for customer support.
Vidar and RisePro stealers
RisePro appears to be written in C++. When reviewing the functionality of this stealer, analysts recorded similarities between RisePro and other stealer malware families. Most notably, RisePro’s uses dropped dynamic link library (DLL) dependencies that are known to be used by the stealer Vidar.
This would not be the first time analysts observed a clone of Vidar being passed off as another malicious service. Vidar was originally a fork of a stealer called “Arkei” and was fully cracked and analyzed by researchers in 2018.
At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.
Arkei originally did not have DLL dependencies—these files were first introduced in the Vidar iteration of the stealer. Since then, notable clones of Vidar include the “Oski” and “Mars” stealers. Analysts assess this proliferation of clones is likely due to the malware being cracked.
Analysts assess that RisePro is very likely a clone of Vidar stealer.
Indicators of compromise (IOCs)
Here are the identified hash samples of RisePro:
- E0579dc3a1e48845194d9cd9415ae492d375fd59cea0e1adf21866afde152f89
- C633d7549fb4a77e02fa1e48f8fb3e3b41d8a998778d2e2c024949673dad0ba5
- d9445561cef089271565e3fe54b8da7aff3ecfe73506762ffcdaedc3615180ba
- 8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246
- 867254ba74add6d8e7484dbdd6d45a4c12acd9e31870d84d9efe202945191286
- 5ee280016fc53c27bbc6d049820cb6dfd33bc4e9e5c618027677793f070eefee
Command and control (C2) domains
- neo-files[.]com
- gamefilescript[.]com
RisePro command and control URI structure
- /set_file.php
- /get_loaders.php
- /freezeStats.php
- /get_grabbers.php
- /get_marks.php
- /get_settings.php
- /pingmap.php
Protect your data and assets with Flashpoint
Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical threats and protect people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.
Source: https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/
No tags for this post.