"Hackers Exploit Cracked Software on GitHub to Distribute RisePro Info Stealer"

 Researchers studying cybersecurity have discovered several GitHub repositories with cracked software that distribute an information-stealing program known as RisePro.

 According to G DATA, the GitHub campaign consists of 17 repositories linked to 11 distinct identities. Microsoft-owned business has since removed the aforementioned repositories.

 The German cybersecurity business stated, "The repositories look similar, featuring a README.md file with the promise of free cracked software."

 "On Github, circles in green and red are frequently used to indicate the state of automated builds. Four green Unicode circles that appear to show a status along with the current date and convey a sense of legitimacy and recentness were added by Github threat actors to their README.md document."

 The following repository list points to a download link ("digitalxnetwork[.]com") that contains a RAR archive file:

 - AVAST and Andreastanaj

- Andrestanaj / Sound Enhancer

- fabfilter/aymenkort1990

- IObit-Smart-Defrag-Crack at BenWebsite

- Faharnaqvi/CrackVueScan

- Voicemod / javisolis123

- lolusuary/AOMEI-Backupper; daemon-Tools; EaseUS-Partition-Master; SOOTHE-2

- rik0v/ManyCam; mostofakamaljoy/ccleaner

- Vaibhavshiledar/droidkit Vaibhavshiledar/TOON-BOOM-HARMONY Roccinhu/Tenorshare-Reiboot Roccinhu/Tenorshare-iCareFone True-Oblivion/AOMEI-Partition-Assistant

 An executable file that has been inflated to 699 MB in an attempt to crash analysis tools like IDA Pro is the next stage of payload that is unpacked by the installer file found in the RAR archive, which asks victims for a password that is specified in the README.md file maintained by the repository.

 The 3.43 MB of actual content of the file serves as a loader for injecting RisePro (version 1.6) into AppLaunch.exe or RegAsm.exe.

 When RisePro was disseminated using the pay-per-install (PPI) malware downloader service PrivateLoader in late 2022, it gained significant attention. It is intended to collect private data from compromised computers and exfiltrate it to two Telegram channels—which are frequently used by threat actors to obtain victim data. It is written in C++. It's interesting to note that Checkmarx's most recent research revealed that it is feasible to hack into an attacker's bot and send messages to a different Telegram account.

 The announcement coincides with Splunk's description of Snake Keylogger as a stealer virus that "employs a multifaceted approach to data exfiltration," outlining the strategies and methods used by the malware.

 "The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information," added Splunk. "Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data."

 Stealer malware has grown in popularity and is frequently used as the main vector for ransomware and other serious data breaches. The most popular password stealers are RedLine, Vidar, and Raccoon, according to a Specops analysis released this week. RedLine alone is responsible for the theft of over 170.3 million credentials during the previous six months.

 In January 2024, Flashpoint wrote, "The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats." "While the motivations behind its use are almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use."