A cluster of cybersecurity analysts has stumbled upon a series of GitHub repositories offering illicitly obtained software, which serve as conduits for disseminating an information-stealing malware known as RisePro.
Dubbed the gitgub campaign, it encompasses 17 repositories linked to 11 distinct accounts, as disclosed by G DATA. Subsequently, the repositories implicated in the campaign have been removed by the subsidiary owned by Microsoft.
“The repositories bear a striking resemblance, each presenting a README.md file advertising cracked software for free,” articulated the German cybersecurity entity.
“Employing green and red Unicode circles, commonly utilized on Github to signify the status of automated builds, the gitgub threat actors introduced four green circles to their README.md, falsely implying a status update alongside the current date, thus fostering an illusion of credibility and currency.”
Cybersecurity The roster of repositories includes the following, all directing users to a download link (“digitalxnetwork[.]com”) hosting a RAR archive file –
andreastanaj/AVAST andreastanaj/Sound-Booster aymenkort1990/fabfilter BenWebsite/-IObit-Smart-Defrag-Crack Faharnaqvi/VueScan-Crack javisolis123/Voicemod lolusuary/AOMEI-Backupper lolusuary/Daemon-Tools lolusuary/EaseUS-Partition-Master lolusuary/SOOTHE-2 mostofakamaljoy/ccleaner rik0v/ManyCam Roccinhu/Tenorshare-Reiboot Roccinhu/Tenorshare-iCareFone True-Oblivion/AOMEI-Partition-Assistant vaibhavshiledar/droidkit vaibhavshiledar/TOON-BOOM-HARMONY The password-protected RAR archive, as stipulated in the repository’s README.md file, encompasses an installer file that releases the subsequent-stage payload—an executable file inflated to 699 MB to thwart analysis tools such as IDA Pro.
The actual payload, occupying a mere 3.43 MB, serves as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.
RisePro garnered attention in late 2022 when it was distributed through a pay-per-install (PPI) malware downloader service dubbed PrivateLoader.
Cybersecurity Scripted in C++, RisePro is engineered to amass sensitive data from infected hosts and transmit it to two Telegram channels frequently utilized by threat actors to pilfer victims’ data. Intriguingly, recent research by Checkmarx demonstrated the feasibility of infiltrating and rerouting messages from an attacker’s bot to another Telegram account.
This development coincides with Splunk’s elaboration on the tactics and methodologies embraced by Snake Keylogger, labeling it as a stealer malware that “adopts a multifaceted approach to data exfiltration.”
“The utilization of FTP facilitates secure file transfers, whereas SMTP enables the dispatch of emails containing sensitive data,” detailed Splunk. “Moreover, integration with Telegram furnishes a real-time communication platform, facilitating instantaneous transmission of pilfered data.”
Information-stealing malware has garnered significant traction, often serving as the principal vector for ransomware and other high-impact data breaches. According to a report by Specops released this week, RedLine, Vidar, and Raccoon have emerged as the most prevalent stealers, with RedLine alone responsible for purloining over 170.3 million passwords in the past six months.
“The burgeoning prevalence of information-stealing malware underscores the ever-evolving landscape of digital threats,” remarked Flashpoint in January 2024. “While the underlying motivations are invariably rooted in financial gain, stealers continue to adapt, becoming increasingly accessible and user-friendly.”
