Researchers at Flashpoint and Sekoia have discovered a new malware named RisePro, that can steal various information elements from a compromised system.
It’s spread through PrivateLoader – a pay-per-install malware distribution platform – to which the researchers have linked RisePro to. They also noted that the threat actors have already started selling thousands of RisePro logs in Russian forums.
RisePro Data Stealer Analysis
PrivateLoader is a malware distribution platform that spreads threat actors’ malware on a pay-per-install basis. Its network comprises websites serving fake, cracked software and pirated content.
Its platform is being used to spread RisePro – which the researchers noted can steal victims’ credit cards, passwords, and crypto-wallets from the infected devices. Though previously undocumented, Sekoia researchers have linked the RisePro malware to that of PrivateLoader, based on extensive code similarities.
As they’re investigating further to know more, one assumption is that PrivateLoader makers have also developed RisePro, or it’s a direct evolution of the PrivateLoader.
Anyway, they noted that the RisePro actors are already selling thousands of RisePro logs (that contain data stolen from infected devices) on Russian dark web markets.
Written in C++, RisePro is available for purchase via Telegram, where buyers can also interact with the developer and the infected hosts! Fetching its malware from the C2 server POST requests, RisePro is based on the Vidar password-stealing malware, as it uses the same system of embedded DLL dependencies – says Flashpoint researchers.
It begins its operations by scanning the registry keys of a compromised system, writes stolen data to a text file, takes a screenshot, bundles everything in a ZIP archive, and sends it to the attacker’s server. It’s even said to scan filesystem folders to find certain data elements like receipts containing credit card information.