Threat Advisory

RisePro A New Stealer Emerges with Shades of Vidar and Redline

Threat: Malware
Criticality: High

Summary:

RisePro made a reappearance on July 2023, when it was up for sale on a mid-tier forum. The vendor stated in their advertisements that they had combined the greatest features of "Redline" and "Vidar" to create a formidable stealer. This time, the vendor also offers a new benefit for RisePro users clients will host their own panels to guarantee that logs are not taken by the sellers. Although the RisePro vendor said that consumers host panels themselves, researchers discovered that the panel must interface with the seller's infrastructure to create builds and refresh subscription access. This implies that developers may still be able to steal or scrape logs from client systems.

RisePro currently provides numerous subscription options for access to their constructor, with prices varying depending on the period of access to the stealer. RisePro appears to have been updated or modified in a fresh sample received by researchers to mimic the malware more closely "PrivateLoader," the pay-per-install malware downloader service that previously dumped RisePro. RisePro also has a public Telegram channel for news and updates, as well as an invitation-only conversation for customers, which includes customer comments and free panel update downloads.

RisePro is a recently discovered stealer developed in C++ that looks to be functionally comparable to the stealer malware "Vidar." RisePro attempts to exfiltrate potentially sensitive information from compromised workstations in the form of logs. Russian Market is a log store, similar to other log marketplaces such as Genesis, where threat actors may post and sell stealth logs. Russian Market has over 2,000 logs supposedly acquired from RisePro at the time of publication. Based on the identification of strings in the samples, we have detected malicious samples that appear to be associated to RisePro. researchers discovered multiple RisePro copies that were dumped or downloaded through the pay-per-install malware downloading service "PrivateLoader."

Threat actors can purchase the opportunity to have PrivateLoader distribute harmful payloads onto affected devices. Pay-per-install services are not a new business strategy for botnet operators. researchers have seen adverts for similar services in the past on forums and within Telegram, which these thieves frequently use for customer assistance. RisePro looks to have been coded in C++. Analysts discovered similarities between RisePro and other stealer malware families while studying the functioning of this stealer. RisePro, in particular, employs dropped dynamic link library (DLL) dependencies known to be employed by the stealer Vidar. This is not the first time experts have discovered a Vidar clone masquerading as another harmful service. Vidar was created as a branch of the stealer "Arkei" and was fully cracked and examined by experts.

Threat Profile:

References:

The following reports contain further technical details:

https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/

crossmenu