“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader”
RisePro’s presence on Russian Market, and the appearance of the stealer as a payload for a pay-per-install service, may indicate its growing popularity—and viability—within the threat actor community.
- “RisePro” is a stealer malware that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022.
- RisePro’s presence on Russian Market may indicate its growing popularity within the threat actor community.
- Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year.
- The appearance of the stealer as a payload for a pay-per-install service may indicate a threat actor’s confidence in the stealer’s abilities.
- RisePro appears to be a clone of the stealer malware “Vidar.”
RisePro logs on Russian Market
“RisePro” is a newly identified stealer written in C++ that appears to possess similar functionality to the stealer malware “Vidar.” RisePro targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs.
Flashpoint first identified RisePro on December 13, 2022 after analysts identified several sets of logs uploaded to the illicit underground market Russian Market, which listed their source as “risepro.”
Russian Market is a log shop similar to other log markets, such as Genesis, in which threat actors can upload and sell logs collected from stealers. At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.
We have identified malicious samples that appear to be related to RisePro based on identifying strings in the samples. During investigations of open source intelligence, such as open source sandbox analyses from other security researchers, our analysts identified several samples of RisePro that were dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader.”
PrivateLoader allows threat actors to buy the ability to have it download malicious payloads onto infected systems. Pay-per-install services are not a novel business model for threat actors operating botnets. Flashpoint analysts have observed advertisements of these types of services in the past on forums and within Telegram, which is commonly used by these stealers for customer support.
Vidar and RisePro stealers
RisePro appears to be written in C++. When reviewing the functionality of this stealer, analysts recorded similarities between RisePro and other stealer malware families. Most notably, RisePro’s uses dropped dynamic link library (DLL) dependencies that are known to be used by the stealer Vidar.
This would not be the first time analysts observed a clone of Vidar being passed off as another malicious service. Vidar was originally a fork of a stealer called “Arkei” and was fully cracked and analyzed by researchers in 2018.
At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.
Arkei originally did not have DLL dependencies—these files were first introduced in the Vidar iteration of the stealer. Since then, notable clones of Vidar include the “Oski” and “Mars” stealers. Analysts assess this proliferation of clones is likely due to the malware being cracked.
Analysts assess that RisePro is very likely a clone of Vidar stealer.
Indicators of compromise (IOCs)
Here are the identified hash samples of RisePro:
Command and control (C2) domains
RisePro command and control URI structure
Protect your data and assets with Flashpoint
Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical threats and protect people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.