Multiple GitHub repositories posing as cracked software codes were found attempting to drop the RisePro info-stealer onto victim systems.
The campaign delivers a new variant of the RisePro info-stealing malware designed to crash malware analysis tools like IDA and ResourceHacker.
G Data CyberDefense, the German cybersecurity company that made the discovery, reported that it had found at least 13 such repositories belonging to a RisePro stealer campaign that was named Gitgub by the threat actors. The repositories are all similar, and include a README.md file promising free cracked software.
Bloated installer for evasion
In order to complicate the analysis of the malware through reverse engineering, the campaign used an installer that was bloated to 699 MB. The bloating was done through repeat blocks of code within the original installer.
“The visualization of the sample by PortexAnalyzer shows that the bloat is non-trivial. While many bloated files feature appended zero bytes, this file has high entropy and no overlay,” G Data wrote in a report on the campaign. “Knowing that the self-extracting archive from which we unpacked the sample compressed this file to 70 MB, we suspected a repeating pattern.”
The bloated data resided in a raw data resource named MICROSOFTVISUALSTUDIODEBUGGERI, which was removed using CFF Explorer to squeeze the file down to its original 3.43 MB.
Upon execution, the installer connects to an external command and control system that subsequently injects malware payload into either AppLaunch.exe or RegAsm.exe.
RisePro Stealer version 1.6
The injected payload was identified by G Data to be RisePro Stealer version 1.6.
“We assume that this is the latest version of RisePro, as within the malware authors’ publicly accessible Telegram channel, the most recent server updates are referred to as version 1.6,” G Data said.
Once the malware runs, it exfiltrates data to two Telegram channels, according to the blog. Both the channels presently contain more than 700 messages with zip archives of stolen data.
G Data suspects that the combination of Telegram channel names and the IP addresses of the control servers indicates a Russia-based operation.
“The malware collects a variety of valuable information,” G Data said. “All unique passwords are stored in a file named “brute.txt”. In the file “password.txt” we discovered a big RisePro banner and the link to the public Telegram channel.”
RisePro has been fairly active in the last few months, having recently reverse-engineered a proof of concept on a Google OAuth bug to achieve primary infection. G Data has provided a list of indicators of compromise (IOCs) for potential victims.