RisePro has evolved from a commodity info-stealer into a variant with remote-control capabilities, adopting a new TCP-based C2 protocol and HVNC features. This article analyzes the updated RisePro network patterns, staged C2 workflow (initialization, configuration, stealer/loader, and optional HVNC), loader mechanics, data exfiltration, and the implications of its multi-stream, encrypted communication. #RisePro #HVNC #PrivateLoader #Vidar #Sekoia #Intel471 #AnyRUN
Keypoints
- RisePro is an information-stealing malware that now includes remote-control (HVNC) capabilities, enabling RAT-like functionality.
- The latest variant uses a custom TCP-based C2 protocol instead of the previous HTTP-based communication.
- packets follow a three-block structure (magic, payload_len, packet_type) with numerous opcodes governing actions.
- The C2 workflow is staged: Initialization, Getting configuration (marks_config, grab_config, loader_config), and Performing stealer/loader functions, with an optional HVNC stage.
- Loader configs enable features like proxy, HVNC, and data exfil via Telegram, with payloads downloaded from ld_url and executed (schtasks).
- Exfiltrated data is packaged into a ZIP archive and sent back to the operator, including information.txt and passwords.txt containing system and credential data.
- The malware includes extensive data collection (OS info, hardware, processes) and can inject into processes in its C++ variant.
MITRE Techniques
- [T1095] Non-Standard Protocol – “Our sample uses custom protocol over TCP for communication. This indicates a complete overhaul of the communication method, which previously transmitted instructions over HTTP.” – The RisePro variant communicates via a custom TCP protocol rather than standard web protocols.
- [T1041] Exfiltration – “the client compiles and sends back a .zip archive containing all the stolen data.” – Data is exfiltrated after collection in ZIP form.
- [T1021] Remote Services – “HVNC remote control capabilities” – The malware can operate as a remote-access tool via HVNC.
- [T1053.005] Scheduled Task/Job – “download a file and execute it using scheduled tasks (schtasks).” – Loader components are executed via Windows scheduled tasks.
- [T1113] Screen Capture – “The malware is capable of capturing a screenshot at the time of execution (grab_screen).” – Visual data is collected as part of data theft.
- [T1055] Process Injection – “С++ version of RisePro can inject into processes.” – The C++ build uses process injection techniques.
- [T1552.001] Credentials in Files – “passwords.txt” containing stolen passwords from browsers and other apps. – Credentials are exfiltrated via a dedicated file.
- [T1082] System Information Discovery – “Victim’s computer data: IP address, locale, system details” – The malware collects host information during operations.
Indicators of Compromise
- [IP Address] – 194.169.175.128, 194.169.175.123, 194.49.94.53, 91.92.245.23 (example observed data points for infrastructure and exfiltration endpoints)
- [URL] – http://91.92.245.23/download/k/KL.exe (loader/download URL referenced in exfiltration/loader flow)
- [SHA256] – e95d8c7cf98dc1ed3ec0528b05df7c79bae2421ba2ad2b671d54d8088238f205, 973867150fd46e2de4b3d375d9c2d59eeda808a9dd1d137bd020b2f15c155ede, ba7f4474a334d79dd16cfb8a082987000764ff24c8a882c696e4c214b0e5e9cf, D440EEB8FD204EF2B3845894FE4E256E6505796B75FE5201CFFA7F5453C2FB5F
- [File path] – C:UsersadminAppDataLocalMaxLoonaFest1MaxLoonaFest1.exe, C:UsersadminAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5K78MRVB5KL[1].exe (examples of files referenced in the loader/exfil paths)
Read more: https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/