Dec 26, 2022Ravie Lakshmanan
The pay-per-install (PPI) malware downloader service known as
PrivateLoader is being used to distribute a previously
documented information-stealing malware dubbed
RisePro.
Flashpoint spotted the newly identified stealer on December 13,
2022, after it discovered “several sets of logs” exfiltrated using
the malware on an illicit cybercrime marketplace called Russian
Market.
A C++-based malware, RisePro is said to share similarities with
another info-stealing malware referred to as Vidar stealer, itself
a fork of a stealer codenamed Arkei[1]
that emerged in 2018.
“The appearance of the stealer as a payload for a
pay-per-install service may indicate a threat actor’s confidence in
the stealer’s abilities,” the threat intelligence company noted[2]
in a write-up last week.
Cybersecurity firm SEKOIA, which released[3]
its own analysis of RisePro, further identified partial
source code overlaps with PrivateLoader. This encompasses the
string scrambling mechanism, HTTP method and port setup, and the
HTTP message obfuscation method.
PrivateLoader, as the name indicates, is a download service[4]
that enables its subscribers to deliver malicious payloads to
target hosts.
It has been used in the past to deliver Vidar Stealer, RedLine
Stealer, Amadey, DanaBot, and NetDooka[5], among others, while
masquerading as pirated software hosted on decoy sites or
compromised WordPress portals that appear prominently on search
results.
RisePro is no different from other stealers in that it’s capable
of stealing a wide range of data from as many as 36 web browsers,
including cookies, passwords, credit cards, crypto wallets, as well
as gathering files of interest and loading more payloads.
It’s offered for sale on Telegram, with the malware’s developer
also making available a Telegram channel that enables criminal
actors to interact with infected systems by providing a bot ID
created by the stealer and sent to a remote server post a
successful breach.
Also part of the malware’s infrastructure is an administration
panel hosted at a domain named my-rise[.]cc that allows access to
stolen data logs, but only after signing into an account with a
valid set of credentials.
It’s currently not clear if RisePro is authored by the same set
of threat actors behind PrivateLoader, and if it’s exclusively
bundled alongside the PPI service.
“PrivateLoader is still active and comes with a set of new
capabilities,” SEKOIA said. “Similarities between the stealer and
PrivateLoader cannot be ignored and provides additional insight
into the threat actor expansion.”
Found this article interesting? Follow us on Twitter [6]
and LinkedIn[7]
to read more exclusive content we post.
References
Read more https://thehackernews.com/2022/12/privateloader-ppi-service-found.html