CIRT.GY | Using fake crack sites, new information-stealing

Using fake crack sites, new information-stealing malware targets software thieves. (29th December 2

Ref# AL2022_90 | Date: Dec 29th 2022

Description

The PrivateLoader pay-per-install (PPI) malware distribution service is distributing new information-stealing malware known as “RisePro” through phony cracking websites.

Summary

RisePro is made to enable attackers to gain unauthorized access to steal cryptocurrency wallets, credit cards, and passwords from an infected device. The selling of thousands of RisePro logs, or packages of data taken from infected devices, has already started among threat actors on Russian dark web markets.

PrivateLoader and RisePro were found to share a great deal of code similarities, which suggests that the malware distribution platform is now disseminating its own information-stealer, either for itself or as a service.

RisePro is a C++ malware, and it makes use of the same system of embedded DLL (Dynamic Link Library) dependencies as the password-stealing virus Vidar, in some samples, the malware embeds the DLLs, but in others, it retrieves them from the C2 server via POST requests.

The information thief first analyzes the compromised system”s registry keys to identify it, then copies stolen information to a text file, captures a screenshot, packages everything in a ZIP archive, and uploads the file to the attacker”s server.

Remediation

The best way to get rid of the RisePro stealer is with a reliable anti-malware tool. The anti-malware tool will identify and eliminate any dangerous files linked to the malware after the system has been thoroughly scanned. The system should be rebooted after the scan is finished to make sure that any harmful files that are still present are removed. Finally, to ensure that all harmful files have been deleted, a deep scan should be performed.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Information-stealing malware targets software thieves.pdf

References

Team, T. &. D. R. (2022, December 23). New RisePro Stealer distributed by the prominent PrivateLoader. Retrieved from SEKOIA.IO Blog.
https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/
Toulas, B. (2022, December 23). New info-stealer malware infects software pirates via fake cracks sites. Retrieved from BleepingComputer.
https://www.bleepingcomputer.com/news/security/new-info-stealer-malware-infects-software-pirates-via-fake-cracks-sites/