Threat Research

RisePro stealer targets Github users in “gitgub” campaign

admin

RisePro stealer was distributed via multiple GitHub repositories that lured users to download a password-protected RAR hosted at digitalxnetwork[.]com, which unpacks through an MSI to a heavily bloated .NET loader that injects the RisePro payload into running processes. The loader uses .NET Reactor virtualization, custom string obfuscation, FNV-1A import hashing, and communicates with C2 servers (TCP port 50500) to exfiltrate stolen data to Telegram channels. #RisePro #GitHub

Keypoints

  • Attackers published at least 13 malicious GitHub repositories offering “cracked” software that all point to the same RAR download on digitalxnetwork[.]com protected with the password GIT1HUB1FREE.
  • The RAR unpacks to Installer_Mega_v0.7.4t.msi which extracts a bloated executable Installer-Ultimate_v4.3e.9b.exe; the MSI reveals a second-stage password LBjWCsXKUz1Gwhg.
  • The executable contains a huge high-entropy RC_DATA resource used to bloat the PE to ~699 MB; removing the MICROSOFTVISUALSTUDIODEBUGGERI resource reduces it to ~3.43 MB for analysis.
  • The file is a .NET assembly with intentionally malformed streams and is protected with .NET Reactor 6 virtualization to hinder static analysis and deobfuscation.
  • At runtime the loader resolves imports via FNV-1A hashing, decrypts XOR-obfuscated stack strings with length-specific routines, and injects RisePro (v1.6) into AppLaunch.exe or RegAsm.exe.
  • Network communication uses custom TCP (primarily port 50500) to C2 servers (e.g., 176.113.115.227) with JSON configuration containing grabber modules and Telegram bot credentials; stolen data is exfiltrated to public Telegram channels.
  • Identified IOCs include the RAR and MSI SHA-256 hashes, the bloated and debloated EXE hashes, C2 IPs, and the download URL for the archive.

MITRE Techniques

  • [T1055] Process Injection – Loader injects the RisePro payload into other processes to run in-memory (‘injects its payload into either AppLaunch.exe or RegAsm.exe.’)
  • [T1105] Ingress Tool Transfer – Initial infection vector uses a remote archive hosted on a public URL to deliver the installer (‘hxxps://digitalxnetwork[.]com/INSTALLER%20PA$$WORD%20GIT1HUB1FREE.rar’)
  • [T1027] Obfuscated Files or Information – The sample is protected with .NET Reactor virtualization and malformed .NET streams to impede analysis (‘obfuscated with a version of .NET Reactor 6 and has virtualization enabled’)
  • [T1071] Application Layer Protocol – C2 communication uses direct TCP connections on a non-standard port for command-and-control (‘are still using primarily TCP port 50500.’)
  • [T1041] Exfiltration Over C2 Channel – Stolen data is transmitted back to operators and posted to Telegram channels (‘The data is exfiltrated to two Telegram channels.’)
  • [T1005] Data from Local System – Malware harvests credentials and stores unique passwords locally in a file before exfiltration (‘All unique passwords are stored in a file named “brute.txt”.’)

Indicators of Compromise

  • [File hash] installer and payload hashes – f52ba7d8a820d32c502c4aaef4bf9690fc0ca97b97c683b43057d82c06294257 (INSTALLER PA$$WORD GIT1HUB1FREE.rar), 0ff1e4724b5b02a034789e328531f04a660fd1bade2ad9e73c8b748e5f3e0753 (Installer_Mega_v0.7.4t.msi), and 3 more hashes
  • [File name] staged filenames – Installer_Mega_v0.7.4t.msi, Installer-Ultimate_v4.3e.9b.exe
  • [IP address] contacted C2 – 176.113.115.227, 193.233.132.32
  • [URL] distribution URL – hxxps://digitalxnetwork[.]com/INSTALLER%20PA$$WORD%20GIT1HUB1FREE.rar
  • [Memory artifact] injected payload (memory only) – memory-only RisePro payload observed injected into RegAsm.exe/AppLaunch.exe (SHA-256: b0e194ed54bafa753bda5761c1264b67a5c438ee7a9ed624a83be913f037dcbb)

The technical infection chain begins with multiple deceptive GitHub repositories that all reference a single password-protected RAR hosted on digitalxnetwork[.]com. Users who extract the archive with the supplied password (GIT1HUB1FREE) obtain Installer_Mega_v0.7.4t.msi; Orca analysis shows this MSI unpacks a secondary EXE (Installer-Ultimate_v4.3e.9b.exe) using a second password (LBjWCsXKUz1Gwhg). Analysts should anticipate multi-layer archive extraction and scripted installer behavior when triaging similar samples.

The delivered EXE is intentionally bloated with a high-entropy RC_DATA resource named MICROSOFTVISUALSTUDIODEBUGGERI (~0x2b85418f bytes) to trigger tool crashes; removing that resource restores a workable binary (~3.43 MB). The payload is a .NET assembly containing malformed .NET streams and ModuleRef table noise, protected with .NET Reactor 6 and virtualization; resolving imports uses FNV-1A hashing and sensitive strings are XOR-obfuscated with per-length decryption routines. Static analysis workflows should include resource removal, automated stack-string decryption (the report used Binary Refinery and IDA/IDAPython comments), and preparation for disassembling virtualized .NET code or instrumenting at runtime.

At runtime the loader establishes TCP C2 connections (primarily port 50500) to fetch configuration (JSON with grabber modules and Telegram bot tokens) and receives base64-encoded archives of stolen data. The injector writes the RisePro stealer (v1.6) into memory of AppLaunch.exe or RegAsm.exe to execute collection routines; harvested credentials and unique passwords are written to local files (e.g., brute.txt) and exfiltrated to public Telegram channels. Network decoding and C2 analysis can reuse Any.Run/RisePro TCP decoders to parse the traffic. Indicators to monitor include the RAR/MSI/EXE hashes, the digitalxnetwork download URL, and the C2 IPs listed above.

Read more: https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint