Threat Research

“RisePro” Stealer Returns with New Updates

Securonix

RisePro, a stealer tied to Vidar, re-emerged in 2023 with claims to fuse Redline and Vidar features and a pay-to-play model. While customers can host their own panels, the builder still communicates with the seller’s infrastructure, leaving room for log theft or scraping by developers. #RisePro #Vidar #PrivateLoader #RussianMarket

Keypoints

  • RisePro reappeared on July 4, 2023 after a period of quiet since December 2022.
  • The seller claims RisePro combines the best aspects of Redline and Vidar to create a powerful stealer.
  • Customers host their own panels, but builds and subscription updates still rely on the seller’s infrastructure, enabling potential log access.
  • RisePro has adopted a pay-to-play model with varying access durations to its builder, resembling PrivateLoader’s pay-per-install approach.
  • RisePro logs have been posted for sale on the Russian Market, with hundreds of logs allegedly sourced from RisePro.
  • Analysts view RisePro as a clone of Vidar, using similar DLL dependencies and belonging to a family of Vidar-derived stealers.

MITRE Techniques

  • [T1071.001] Web Protocols – RisePro uses HTTP-based C2 endpoints to receive commands and exfiltrate data. “RisePro command and control URI structure includes ‘/set_file.php’, ‘/get_loaders.php’, ‘/freezeStats.php’, ‘/get_grabbers.php’, ‘/get_marks.php’, ‘/get_settings.php’, ‘/pingmap.php’.”
  • [T1105] Ingress Tool Transfer – PrivateLoader enables threat actors to have it download malicious payloads onto infected systems. “PrivateLoader allows threat actors to buy the ability to have it download malicious payloads onto infected systems.”
  • [T1041] Exfiltration Over C2 Channel – RisePro exfiltrates logs from infected machines via its C2 infrastructure. “targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs.”

Indicators of Compromise

  • [Hash] RisePro sample hashes – E0579dc3a1e48845194d9cd9415ae492d375fd59cea0e1adf21866afde152f89, C633d7549fb4a77e02fa1e48f8fb3e3b41d8a998778d2e2c024949673dad0ba5, d9445561cef089271565e3fe54b8da7aff3ecfe73506762ffcdaedc3615180ba, 8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246, 867254ba74add6d8e7484dbdd6d45a4c12acd9e31870d84d9efe202945191286, 5ee280016fc53c27bbc6d049820cb6dfd33bc4e9e5c618027677793f070eefee
  • [Domain] C2 domains – neo-files[.]com, gamefilescript[.]com
  • [URI] RisePro C2 URI structure – /set_file.php, /get_loaders.php, /freezeStats.php, /get_grabbers.php, /get_marks.php, /get_settings.php, /pingmap.php
  • [IP] Active C2 panels – 168.100.10.122, 5.42.79.238, 95.214.25.231, 45.15.159.248, 185.173.38.198, 194.169.175.128, 79.110.49.141, 38.47.220.202

Read more: https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint