Threat Research

Threat Analysis Insight: RisePro Information Stealer

Securonix

RisePro is a modular information-stealer sold as Malware-as-a-Service (MaaS), with activity intensifying in late 2023 and early 2024. The BlackBerry Threat Research team details RisePro’s infection chains, C2 communications, data exfiltration, and its flexible, builder-driven payloads. Hashtags: #RisePro #PrivateLoader #Telegram #BlackBerry #ThreatIntelligence

Keypoints

  • RisePro is a multifunctional information stealer offered on underground forums as MaaS, with activity surging from late 2023 into 2024.
  • It has no single infection vector and often relies on malicious links and lures; it has historically been deployed via PrivateLoader (a pay-per-install service).
  • The malware builder enables significant customization (payload type, build name, service IP) and includes features like anti-debugger, anti-VM, Windows Defender disable, and residency for persistence.
  • RisePro uses various persistence techniques (scheduled tasks and startup entries) and performs environment checks (VM/debugger detection) before contacting C2.
  • Communication evolved from HTTP with a simple obfuscation to a custom TCP protocol; it uses marks, a Grabber Config for exfiltration targets, and can log data for later exfiltration (including via a Telegram bot).
  • Exfiltrated data typically includes information.txt and passwords.txt, detailing fingerprinting data, hardware/software info, and credentials; data can be sent via C2 or Telegram.
  • Authorities note the alleged Russian-speaking origin of the developers, while no single actor has been conclusively linked; RisePro’s MaaS model enables broad deployment by many operators.
  • Countermeasures highlighted include endpoint protection (e.g., CylanceENDPOINT) and proactive security practices like awareness training and active threat intelligence programs.

MITRE Techniques

  • [T1053] Scheduled Task/Job – RisePro creates scheduled tasks to persist, e.g., “schtasks /create /f /RU “Admin” /tr “C:ProgramData[RisePro].exe” /tn “%RisePro% HR” /sc HOURLY /rl HIGHEST”
  • [T1547.001] Registry Run Keys/Startup – Uses startup mechanisms for persistence; “autorun registry key” and startup directory are utilized
  • [T1140] Deobfuscate/Decode Files or Information – Most variants are obfuscated or packed
  • [T1564.003] Hidden Window – Malware generates a hidden window to evade user awareness
  • [T1036] Masquerading – Disguises itself as cracked or legitimate software; “hiding behind numerous disguises”
  • [T1112] Modify Registry – Adds registry keys to the victim device
  • [T1027.002] Software Packing – Malware contains packed/crypted code
  • [T1497.001] VM/System Checks – Attempts to determine if running in a VM
  • [T1518.001] Security Software Discovery – Checks forDebugger or security tooling presence
  • [T1082] System Information Discovery – Enumerates hardware/OS info and collects it
  • [T1016] System Network Configuration Discovery – Enumerates network configuration and fingerprinting data
  • [T1124] System Time Discovery – Gathers system time for information.txt
  • [T1119] Automated Collection – Searches for sensitive web browser data
  • [T1005] Data from Local System – Searches for crypto-wallets and browser data
  • [T1056] Input Capture – Creates a direct input object to capture data
  • [T1071] Application Layer Protocol – Downloads additional payloads via HTTP
  • [T1573] Encrypted Channel – Uses a crypted/XOR TCP channel for C2 traffic
  • [T1571] Non-Standard Port – Uses non-standard ports (e.g., TCP 50500) for C2
  • [TA0009] Exfiltration (T1041/T1567) – Exfiltrates data over C2 channel or via Telegram

Indicators of Compromise

  • [SHA256] IoCs – 2229327fa653ffd07f11773ee22eb00e580b6824ce122a1e788f19859aa9dca2, 5e1a1b2e2c20bc50b54e02393fa6f26a2b8c2f4d87f2abdecaca73472b5c5dba, and many other hashes
  • [IP/Domain] RisePro C2 servers – 5[.]42[.]92[.]73:8081, 185[.]196[.]9[.]38:8081, 147[.]45[.]47[.]116:8081, and other active addresses
  • [Domain] IP geolocation services used by RisePro – ipinfo.io, db-ip.com, maxmind.com
  • [URL] Example secondary downloads – hxxp://185[.]215[.]113[.]46/mine/plaza[.]exe, hxxp://185[.]215[.]113[.]46/cost/ladas[.]exe
  • [File Name] Exfiltration artifacts – information.txt, passwords.txt
  • [File Type] RisePro Binary – RisePro Binary (Selection)

Read more: https://blogs.blackberry.com/en/2024/06/threat-analysis-insight-risepro-information-stealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint