Researchers Discover GitHub
Repositories Spreading RisePro Info Stealer
Researchers studying
cybersecurity have discovered several GitHub repositories with cracked software
that distribute an information-stealing program known as RisePro.
According to G DATA, the GitHub
campaign consists of 17 repositories linked to 11 distinct identities.
Microsoft-owned business has since removed the aforementioned repositories.
The German cybersecurity business
stated, "The repositories look similar, featuring a README.md file with
the promise of free cracked software."
"On Github, circles in green
and red are frequently used to indicate the state of automated builds. Four
green Unicode circles that appear to show a status along with the current date
and convey a sense of legitimacy and recentness were added by Github threat
actors to their README.md document."
The following repository list
points to a download link ("digitalxnetwork[.]com") that contains a
RAR archive file:
- AVAST and Andreastanaj
- Andrestanaj / Sound Enhancer
- fabfilter/aymenkort1990
- IObit-Smart-Defrag-Crack at
BenWebsite
- Faharnaqvi/CrackVueScan
- Voicemod / javisolis123
- lolusuary/AOMEI-Backupper;
daemon-Tools; EaseUS-Partition-Master; SOOTHE-2
- rik0v/ManyCam;
mostofakamaljoy/ccleaner
- Vaibhavshiledar/droidkit
Vaibhavshiledar/TOON-BOOM-HARMONY Roccinhu/Tenorshare-Reiboot
Roccinhu/Tenorshare-iCareFone True-Oblivion/AOMEI-Partition-Assistant
An executable file that has been
inflated to 699 MB in an attempt to crash analysis tools like IDA Pro is the
next stage of payload that is unpacked by the installer file found in the RAR
archive, which asks victims for a password that is specified in the README.md
file maintained by the repository.
The 3.43 MB of actual content of
the file serves as a loader for injecting RisePro (version 1.6) into
AppLaunch.exe or RegAsm.exe.
When RisePro was disseminated
using the pay-per-install (PPI) malware downloader service PrivateLoader in
late 2022, it gained significant attention. It is intended to collect private
data from compromised computers and exfiltrate it to two Telegram channels—which
are frequently used by threat actors to obtain victim data. It is written in
C++. It's interesting to note that Checkmarx's most recent research revealed
that it is feasible to hack into an attacker's bot and send messages to a
different Telegram account.
The announcement coincides with
Splunk's description of Snake Keylogger as a stealer virus that "employs a
multifaceted approach to data exfiltration," outlining the strategies and
methods used by the malware.
"The use of FTP facilitates
the secure transfer of files, while SMTP enables the sending of emails
containing sensitive information," added Splunk. "Additionally,
integration with Telegram offers a real-time communication platform, allowing
for immediate transmission of stolen data."
Stealer malware has grown in
popularity and is frequently used as the main vector for ransomware and other
serious data breaches. The most popular password stealers are RedLine, Vidar,
and Raccoon, according to a Specops analysis released this week. RedLine alone
is responsible for the theft of over 170.3 million credentials during the
previous six months.
In January 2024, Flashpoint
wrote, "The current rise of information-stealing malware is a stark
reminder of constantly evolving digital threats." "While the
motivations behind its use are almost always rooted in financial gain, stealers
are continually adapting while being more accessible and easier to use."
Post a Comment