Summary
RisePro is a multifunctional information-stealer often sold on underground forums as part of a Malware-as-a-Service (MaaS) offering. Although this malware family was initially observed in late 2022, a sharp increase of activity surrounding this malware was detected by BlackBerry during the latter end of 2023 and into early 2024, being highlighted in the March edition of our Global Threat Intelligence Report in the “Top Critical Infrastructure Threats” section.
RisePro has no specific infection vector and can be dropped onto a victim’s device in a plethora of ways, often relying on malicious links and lures to gain an initial foothold. In the past it has been deployed by PrivateLoader, a pay-per-install (PPI) malware often utilized by other threat actors as a malware distribution service, allowing threats like RisePro to be deployed onto unsuspecting victim devices. Researchers have uncovered indications that RisePro shares significant code overlaps with PrivateLoader, suggesting a connection between the two.
Once it has gained a foothold on a system, RisePro will check to see if it has an Internet connection and then reach out to communicate with its command-and-control (C2), which can send the malware a wide variety of commands. Like many other infostealer malware families, RisePro can fingerprint a victim’s system, steal data and exfiltrate it to the threat actor’s infrastructure.
Although no specific threat actor has been directly associated with RisePro to date, given the activities of the malware and the specific design features of RisePro’s control panel, we assess with a high degree of confidence that those associated with its development are Russian-speaking.
In this blog, we’ll delve deeper into RisePro and examine its infection chain and inner workings.
Affected Operating Systems
Technical Analysis
Infection Vector
RisePro utilises a subscription-based model, so the initial infection vector varies widely and is entirely dependent on the needs of its affiliates/operator(s). Operators of RisePro pay a licensing fee to the threat actor who developed the malware, giving the cybercriminal purchaser total freedom to generate new binaries, configure their own malware-builders, and customize various options depending on their own desires and motivations.
RisePro often uses deceit as an aid in its deployment. It regularly appears as a Trojanised version of commonly used legitimate software, positioning itself as something useful for unsuspecting victims to download. For example, in March 2024, a variant of RisePro leveraged GitHub to host malicious binaries masquerading as legitimate software downloads.
Throughout our investigations, BlackBerry researchers observed RisePro hiding behind numerous disguises, including everything from “cracked” versions of paid software to seemingly legitimate Microsoft files in early 2024.
According to a report published in March, RedLine, Vidar, and Raccoon are the most widely-utilized infostealers, with RedLine alone accounting for over 170 million compromised passwords in the six months between October 2023 and March 2024. Compromised accounts can be leveraged for further nefarious activities and even used as an attack vector to deliver ransomware, making any of these infostealers a potent threat.
Analysis
RisePro uses a malware builder to generate its payloads, giving a high degree of flexibility and customization to those who utilise this infostealer. For example, when a payload is being crafted, the operator can specify the type of executable, the build name and even the specific service IP it wishes the malware to use for communication. RisePro can also employ various other features such as:
- Anti-Debugger Checks
- Anti-Virtual machine (VM) Checks
- Disable Windows Defender
- Residency
Upon execution, RisePro will initially drop a copy of itself onto the victim device as a means of persistence. Typically, RisePro will drop copies of itself via:
- %AppData%LocalTemp
- %ProgramData%
If the malware operator has the setting for “residency” enabled, RisePro binaries will create scheduled task(s) to run both hourly and on logon. This is achieved via schtasks(.)exe to ensure the malware has a foothold on the unsuspecting victim’s device. Examples are below:
- C:WindowsSysWOW64schtasks.exe
schtasks /create /f /RU “Admin” /tr “C:ProgramData[RisePro].exe” /tn “%RisePro% HR” /sc HOURLY /rl HIGHEST
- C:WindowsSysWOW64schtasks.exe
schtasks /create /f /RU “Admin” /tr “C:ProgramData[RisePro].exe” /tn “%RisePro% LG” /sc ONLOGON /rl HIGHEST
Once on a victim device, RisePro will attempt to contact its C2 infrastructure. Before doing so, the malware will complete a number of checks to see if it’s in an isolated or potentially virtualised environment. This is done through the malware reaching out to various IP information and location service provides such as:
- ipinfo(.)io
- db-ip(.)com
- maxmind(.)com
This information is utilised two-fold, both to determine if the malware is running in an analysis or isolated environment, and to gather the geographic and location information of the victim. Furthermore, RisePro can operate on different conditions depending on whether a victim is located in a specific region/nation.
Figure 1: Example of typical RisePro network communications.
Communication
It was previously revealed that RisePro formerly communicated over HTTP, using a basic byte-substitution cipher and XOR operations to obfuscate its true communications. However, it was reported in late 2023 that newer versions of the malware had transitioned over to using a custom protocol over TCP for network communication.
Though this indicates a complete overhaul in communications, the malware largely follows the same obfuscation for its communications/traffic. Throughout subsequent investigations into RisePro, frequent updates have been observed, with RisePro version 1.6 being commonly seen in the wild circa March 2024. However, communications between version 1.0 and 1.6 have remained largely unchanged, with both versions following the same structure as indicators, as observed here.
In June 2024, RisePro saw another update, moving to RisePro version 2.0 which brought minor iterative changes to its communications once again. RisePro still operates over TCP for network communications keeping its same byte-substitution cipher as per version 1.6. However, the malware now communicates through different TCP Port(s) and corresponding XOR logic.
The malware will initialise communication with the C2 to confirm its connection. Additionally, via the builder, a RisePro operator can specify points of notoriety for their own malicious logging purposes called “marks”. These marks could be specific crypto-wallets, payment types, or credentials sought by the operator.
The C2 will send its “Grabber Config” command containing a set of instructions specifying what items of interest the operator wishes to exfiltrate from the target device. Most options in the configuration accept a Boolean value to enable/disable its ability. A Boolean value represents a truth value; that is, true or false, with a value of unknown represented by a null value. Therefore, operations of RisePro can be different sample to sample, or even operate differently in a specific region/geolocation, based on the array of customisation within its configuration.
Figure 2: RisePro C2 communication and initialisation.
Infostealing
RisePro’s primary goal is to conduct information stealing and exfiltrate victim information back to its malicious operator(s). Once the C2 sends its “Sever Send Grab Config” command, the malware will operate accordingly depending on the following settings.
In addition to sending the exfiltrated information back to its C2, the malware can be customised to send stolen data through other means, namely a Telegram bot.
Grab Config ID’s |
Details |
block_hwid_all |
Blocks loading of hardware fingerprint if already met |
block_hwid_day |
Blocks loading of hardware fingerprinting if satisfied the last day |
block_ip_all |
Blocks additional downloading of logs whose IP has already satisfied |
external_access |
Enable external access to panel |
find_seeds |
– |
ftp_upload |
Sends logs via FTP |
grab_ds |
Exfiltrate Discord credentials |
grab_ftp |
FTP credentials |
grab_games |
Video game credentials |
grab_ihistory |
Internet history credentials |
grab_messengers |
Chat/Messenger service credentials |
grab_screen |
Take screenshot and exfiltrate |
grab_tg |
Telegram credentials |
grab_vpn |
VPN credentials |
grab_wallets |
Crypto-wallet data |
merge_browser_data |
Merge browser data together |
sapi_key |
SOCKS5 APT Key (Static) |
socks5_password |
SOCKS5 Password (Static) |
static_marks |
“Marks” customised by operator |
tg_token |
Operator’s Telegram token |
use_hvnc |
Initiate utilisation of Hidden Virtual Network Computing (HVNC) to startup |
Figure 3: RisePro v1.6 configuration options.
Once the malware receives its “Grab Config,” it confirms its commands before being issued another “Send Loader Config.” This configuration command is another feature of the malware, enabling it to act as a malware downloader. If enabled, RisePro will download additional payloads and even other malware at the request of the operator.
Figure 4: RisePro V2.0 Server Send Loader Config example.
After both commands are received, the server sends a “Set File Filter” command to specify its exfiltration of victim data.
Throughout our investigations, we observed RisePro sending its communications via its custom TCP communications, with the exfiltrated data being a Base64 encoded ZIP file. The contents of this file vary depending on the settings of its configuration and valid information present on the victim device.
Figure 5: Exfiltration method of RisePro.
Two consistent files often observed during our investigations are:
- information.txt
- password.txt
Details gathered within “Information.txt” largely surrounds fingerprinting of the victim device. This includes:
Name: |
Details: |
Build |
RisePro Build ‘ID’ |
Version |
RisePro version |
ID Information |
Device identification information |
Path |
Path of malware |
Working Dir |
Path of secondary binary of RisePro |
Device Information |
Device Information:
|
Hardware |
Hardware information of victim device:
|
Processes |
Running processes (at time of exfiltration) |
Software |
Software on victim device |
In addition to “information.txt,” another text-based file “passwords.txt” is often observed being generated and exfiltrated. Prior to its exfiltration, all passwords and account details obtained by the information stealer are populated into this file, per the available data on the victim’s device and previously selected configurations.
Figure 6: Redacted “information.txt” and “passwords.txt” from RisePro v2.0.
Distribution/Attribution
RisePro is often promoted on underground forums via the dark web. RisePro attracts new operators using a subscription-based MaaS model that enables operators/affiliates to create their own binaries and manage their own infrastructure.
Given the activities and design of both the malware and RisePro’s control panel, we assess with a high degree of confidence that those associated with its development are Russian-speaking. However, no specific threat actor has been directly associated with RisePro at time of writing.
Likewise, due to the nature of this being Malware-as-a-Service, the weaponization of the malware can be utilized by all who are willing to pay the subscription, resulting in countless operators worldwide.
Figure 7: Example of an older RisePro (v0.7) Builder panel.
Targets
RisePro does not have any specific victims or targets, given that it is a subscription-based malware and thus bound to do the bidding of its affiliates/operators. Those who use its paid services are free to leverage other malicious downloaders or host their crafted RisePro binaries on their own lure site.
In previous RisePro malware campaigns, other known commodity malware, such as PrivateLoader, has been seen dropping RisePro. RisePro has also been observed hosted as Trojanised files through various means. In a recent campaign, the latest versions of the malware were seen hosted on GitHub. However, RisePro is not limited in its delivery by any specific ways or means.
Conclusion
The malleable and robust features of RisePro underscore the continually evolving state of the cyber threat landscape, emphasizing the necessity for robust countermeasures. Commodity information stealer threats dominated the March edition of our BlackBerry Global Threat Intelligence Report and have been observed by our analysts in both commercial enterprise and critical infrastructure organizations.
Through the use of sophisticated techniques, which include evasion tactics, customization options and data exfiltration capabilities, RisePro poses a substantial risk to both individuals and organizations alike. As a result, it is imperative that organizations endeavor to employ proactive defense tactics wherever possible, including employee awareness training, continuous monitoring, the deployment of a modern and comprehensive endpoint security suite, and an up-to-date Threat Intelligence program.
By remaining alert and adaptive, it is possible for organizations to bolster their defenses against evolving threats like RisePro, to help shield their digital infrastructure and preserve the integrity of their data and systems.
Countermeasures
The good news is that BlackBerry customers are protected against the RisePro IoCs listed in this blog by endpoint protection solutions such as CylanceENDPOINT™, powered by Cylance® AI from BlackBerry.
CylanceENDPOINT leverages advanced AI to detect threats before they cause damage, minimizing business disruptions and the costs incurred during a ransomware attack.
MITRE ATT&CK® Matrix
Tactic |
Technique ID |
Technique Name |
Details |
TA0003: Persistence
|
T1053 |
Scheduled Task/Job |
Malware triggers a scheduled job on logon for persistence |
T1547.001 |
Registry Run Keys/Startup |
Creates autorun registry key in Start MenuProgramsStartup |
|
T1547.001 |
Registry Run Keys/Startup |
Stores file in Windows Startup Directory |
|
TA005: Defense Evasion
|
T1140 |
Deobfuscate/Decode Files or Information |
Most variants of RisePro are obfuscated or packed |
T1564.003 |
Hidden Window |
Malware generates a hidden window |
|
T1036 |
Masquerading |
Creates files in both system and user directory |
|
T1112 |
Modify Registry |
Adds Registry Keys to victim device |
|
T1027.002 |
Software Packing |
Malware contains packed/crypted code |
|
T1497.001 |
System Checks |
Attempts to determine if running on a virtual machine (VM) |
|
TA0006: Credential Access
|
T1555 |
Credentials from Password Stores |
Malware attempts to obtain sensitive password information from victim |
T1056 |
Input Capture |
Malware has the ability to determine input |
|
T1003 |
OS Credential Dumping |
Attempts to read system vault for password information |
|
TA0007: Discovery |
T1083 |
File and Directory Discovery |
Searches for sensitive data |
T1046 |
Network Service Discovery |
Sends Simple Service Discovery Protocol (SSDP) broadcast queries |
|
T1057 |
Process Discovery |
Enumerates running processes to populate “information.txt” |
|
T1012 |
Query Registry |
Enumerates Registry |
|
T1018 |
Remote System Discovery |
Reads host file |
|
T1518.001 |
Security Software Discovery |
|
|
T1082 |
System Information Discovery |
|
|
T1016 |
System Network Configuration Discovery |
|
|
T1124 |
System Time Discovery |
Gathers system time information to populate “information.txt” |
|
TA0009: Collection |
T1119 |
Automated Collection |
Searches for sensitive web browser data. |
T1005 |
Data from Local System |
|
|
T1114 |
Email Collection |
Searches for email accounts and credentials |
|
T1056 |
Input Capture |
Creates a direct input object |
|
TA0001: Command and Control |
T1071 |
T1071: Application Layer Protocol |
Has ability to download additional payloads from webservers via HTTP |
T1573 |
T1573: Encrypted Channel |
Uses crypted and XOR TCP traffic to send data |
|
T1571 |
T1571: Non-Standard Port |
By default, RisePro uses TCP Port 50500 for communications |
|
TA0010: Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
All information acquired by malware is sent back to its C2 infrastructure |
T1567 |
Exfiltration Over Web Service |
RisePro can exfiltrate its stolen data via other means like Telegram if enabled |
Figure 6: Commonly observed RisePro MITRE Tactics/Techniques.
MITRE D3FEND™
Model |
Name |
ID |
Definition |
Detect – File Analysis |
File Content Rules |
D3-FCR |
Employing pattern-matching rule language/signatures to analyse the content of file(s) |
Detect – Identifier Analysis |
URL Reputation Analysis |
D3-URA |
Analysing the reputation of a URL and blocking if negatively scored/classified |
Detect – Platform Monitoring |
Scheduled Job Analysis |
D3-SJA |
Analysis of unauthorised use of job scheduling |
Detect – Process Analysis |
File Creation Analysis |
D3-FCA |
Analysing the properties of a file create system call invocations |
Isolate – Execution Isolation |
Executable Allow Listings |
D3-EAL |
Use of digital signatures and fingerprinting to authenticate a file prior to opening/execution |
Isolate – Network Isolation |
Network Traffic Filtering |
D3-NTF |
Restricting network traffic originating from a location |
Evict – File Eviction |
File Removal |
D3-FR |
File removal technique deletes malicious artifices or programs from a computer system |
Evict – Process Eviction |
Process Termination |
D3-PT |
Terminating a running application process on a computer system |
Figure 8: Recommended MITRE D3FEND Techniques related to RisePro.
Indicators of Compromise (IoCs)
SHA256 |
File Type |
Details |
2229327fa653ffd07f11773ee22eb00e580b6824ce122a1e788f19859aa9dca2 5e1a1b2e2c20bc50b54e02393fa6f26a2b8c2f4d87f2abdecaca73472b5c5dba a36d5e790ca17fb6f70884942d868d29c6854054f2db79ed8f4e2d0d16ef1647 4f0e839393df72db99a05ade0848979ff375399b104e59a7cc3847d746c17e5c 56108c707fcaf87b2220c081db115171ff35811946b3ad2d76105715e8530fbe b4ad80860c773c79c946c3a4df13e534153bd17ceebad6acedac3156dfe0144c 77e97faca59d8de34ddc7272791efac41da9ff5b7b175a99e09a255e2701d725 a78513831b47f4b35ee9063aa167bf5d05c61559b2ac7f8fb93fa966a36e34d2 30baf54d50379893b23b24203611da331d436dfc35f2d0a805bac4da0d310489 c48eb226b641b382fd4155f10c96aacc585c6e65814865cd762e88b8a5cffd14 6b82e6f228cbb8143b68e1739f3d083cf6ab0ba9c202ce1ec769bb12c9030619 5719a862d5a32ec56328f8e066a83b6b0577a6965074ca671d0cecce681d5f79 9d540839e75daf4f31eb36271fef6eb16a913446384d07e4d8dbb2602f18bf0f 15dfbd2df433c9725239d6602bdfc56d00db62f88a1769a534d98cad50536c27 c7a40fb4aa017a0d17b535c1857d51f95b7ed8684a1ea860294bf5d897667839 6113bc3f3f972393acff5022f5ba95fb96c3d9038386ada49ccf244fa5f885fa ce930238a02a55d7b6f13fdf9b3306de61c5c25513ed396c7e9a8dbd4c45dbd9 19c98cba0d8037a36b00d2c11cc24d25e1f388ba5093a4b6e9017508371fb34b d2cbb7a5ef2ecdf7c6f8c965df5886a18ea0e630009cdedb3692ed1b8c77b487 078b3f37483cfc697fbd67120311e6109843804f5cae9c46f04fa1b51ba7120a d435d7cf9077533a7c23129a8d7462e7596505e3990664dd5888fce40652bb14 d7c3c01d62fb59e186b2256894fb089c01e1aeda5dbd86a3004f1857a13313ad 0d5bb8b8da18abd1f3934103c501abf9b9cd3a6e1656853359a568dca3229765 cb21be437c800875400a94b2442bbe02ccaf31ee49e1f440aac378fc2b0b756d f87dd2b6a63e850b6c2128ec139c6334b572b1c80698fcc30de6f39ffc788f4f |
PE/EXE |
RisePro Binary (Selection) |
IP/Domain |
Details |
5[.]42[.]92[.]73:8081 185[.]196[.]9[.]38:8081 147[.]45[.]47[.]116:8081 101[.]99[.]92[.]169:8081 147[.45[.]47[.]80:8081 37[.]120[.]237[.]196:8081 95[.]216[.]41[.]236:8081 185[.]221[.]198[.]67:8081 194[.]33[.]191[.]159:8081 94[.]156[.]8[.]188:8081 |
Recently active RisePro C2s |
ipinfo(.)io db-ip(.)com maxmind(.)com
|
IP Geolocation Services utilized by RisePro |
hxxp://185[.]215[.]113[.]46/mine/plaza[.]exe hxxp://185[.]215[.]113[.]46/cost/ladas[.]exe hxxp://77[.]91[.]77[.]81/cost/go[.]exe hxxp://77[.]91[.]77[.]81/cost/lenin[.]exe hxxp://77[.]91[.]77[.]81/mine/amadka[.]exe |
Example of secondary downloads via “Send Loader Config” |
Yara Rule
import “pe” rule Mal_Infostealer_RisePro_v1.6 { $s0 = {3231F531F52DF52DF5CBCBA57DFD7DCBCBCB363231312E312DF5F52DF5CB09AF08D4080908090909F5CBCBCB59FD7DCBCBCB $s1 = {565AEAEAEAEA565AEAEAEAB2BEAEAEA56445AEAEAEA56445AEAEAEB2BA} $s2 = {4321FFD9F4FFFFE1733AFFCF6630FFB75A2BFF9D4E27FF8A4321FF7FD1FDFF507791DA000000007496A9B081D1FDFF95D9FEFFA $s3 = {5642FF6C533EFF6A503BFF684D39FF664B36FF654934FF634833FF64C6FDFFC4AEA1FFFBF1EBFFE5CFC4FFE4CEC1FFE3CBBFFFE3CABCFF $s4 = {537465616C6572436C69656E742E657865} condition: // Must be MZ file // Resource in Russian // Must contain exact number of resources // Section Permissions // Must have all strings |
Related Reading:
Source: https://blogs.blackberry.com/en/2024/06/threat-analysis-insight-risepro-information-stealer