The new RisePro infostealer is spreading through fake sites managed by the PPI service (pay-per-install) PrivateLoader . RisePro steals credit cards, passwords and crypto wallets of victims.
The malware was discovered by analysts at Flashpoint and Sekoia, with both companies confirming that RisePro is a previously undocumented information theft tool now spread through fake crackers and key generators.
Flashpoint reports that attackers have already begun selling thousands of RisePro logs on Russian darknet markets. RisePro is currently available for purchase via Telegram, where users can also interact with the developer and infected hosts.
RisePro is a C++-based malware that, according to Flashpoint, could be based on the Vidar password-stealing malware because it uses the same DLL built-in dependency system.
According to Secoia, some RisePro samples embed DLLs, while other malware extracts them from the C&C server using POST requests.
The information thief first scans the compromised system, carefully examining registry keys, writes the stolen data to a text file, takes a screenshot, packs everything into a ZIP archive, and then sends the file to the attacker's server.
RisePro tries to steal a wide range of data from various applications, browsers, crypto wallets and browser extensions: credentials, cryptocurrency, personal data, etc. RisePro can also scan file system folders for sensitive data such as credit card receipts.
Additionally, Sekoia found significant code similarities between PrivateLoader and RisePro, indicating that PrivateLoader may now be distributing its own infostealer, either for itself or as a service to cybercriminals. Similarities between RisePro and PrivateLoader include string obfuscation techniques, HTTP message obfuscation, and HTTP and port configuration. Experts suggest that RisePro and PrivateLoader were developed by the same people. Based on the evidence collected, Sekoia has not been able to establish an exact connection between the two projects.
PrivateLoader is a pay-per-install malware distribution service disguised as software cracks, key generators, and game modifications. PrivateLoader functions as a C++ based loader to download and deploy additional malicious payloads on infected Windows hosts. It is mainly distributed through SEO-optimized websites that contain hacked software.