The malware-on-demand (PUP) download service known as PrivateLoader is currently believed to be used to distribute information-stealing malware dubbed RisePro.
Caution is advised when visiting crack sites (pirated software) and the downloads available there. It is not uncommon for hackers to hide various malware among the data. Instead of just ending up with a free version of otherwise paid software, victims are therefore entitled to a bonus malware.
A new Infostealer has appeared in recent weeks, named “RisePro”. It is a newly identified data stealer written in C++ that appears to possess similar functionality to the “Vidar” stealing malware. As a reminder, the latter is now hidden in files with the extension .CHM, and collects data from a machine before sending it to a server.
Also Read – Avast, Microsoft Defender: this flaw turns antivirus into formidable malware
This new malware is one of the worst of the moment
RisePro targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs. He is capable of stealing a wide range of data from 36 web browsers, including cookies, passwords, credit cards, or even cryptocurrency wallets.
It also seems to be widely used by hackers, sinceit is for sale on the Telegram messaging app. The malware developer even appears to provide a Telegram channel that allows criminal actors to interact with infected systems.
Flashpoint first identified RisePro on December 13, 2022, after analysts identified several sets of logs uploaded to the illicit Russian Market underground, which listed their source as “risepro”.
Cybersecurity firm SEKOIA, which published its own analysis of RisePro, also identified partial source code overlaps with PrivateLoader, a download service that allows its subscribers to deliver malicious payloads to target hosts. This encompasses the mechanism for scrambling strings, the HTTP method and port configuration, and the method for obfuscating HTTP messages.
