CyberWire Daily - Stealer malware from Russia. [Research Saturday]
Episode Date: January 7, 2023Marisa Atkinson, an analyst from Flashpoint, joins Dave to discuss a new blog post from Flashpoint’s research team about “RisePro” Stealer, malware from Russia, and Pay-Per-Install Malware �...�PrivateLoader.” “RisePro” is written in C++ and appears to possess similar functionality to the stealer malware “Vidar.” It's also a newly identified stealer, that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022. The research states, "Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year." Analysts identified several sets of logs uploaded to the illicit underground Russian Market, which listed their source as “RisePro.” The research can be found here: “RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader” Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
So Rise Pro actually came to our attention through sort of an unconventional mean.
We were observing a marketplace that sells Steeler logs
and noticed that a new Steeler source actually popped up on this market.
And it was called Rise Pro.
And none of us had really seen that name before in the past.
That's Marissa Atkinson.
She's an analyst at Flashpoint.
The research we're discussing today is titled
Rise Pro Steeler and Paper Install Malware, Private Loader.
Can you just give us a little bit of background for folks who might not be familiar with this?
What exactly are we talking about with these stealers?
What exactly are we talking about with these stealers?
Oh, yeah.
So stealers are a type of malware with the specific purpose of once they are dropped on a system, they scrape that system for specific information. So this could be crypto wallets.
It could be browser autofills.
It could be credit card information, system information, browser cookies,
and then it will actually exfiltrate that data to a C2 server, usually as a zip file or something
akin to that. Well, let's go through it together and dig in here. Can we go through some of the
technical things that you all discovered? What's going on under the hood here? Yeah. So Rise Pro was interesting.
We actually identified it through open source means.
It was being dropped by Private Loader, and this was showing up in a few sandbox reports.
What was interesting about Rise Pro was that at first when we were looking at it, we thought this was just
kind of a regular sample of another stealer called Vidar. And Vidar has been around for quite a while
now. It was first discovered in 2018 about where its source code was actually cracked. And what's
unique about Vidar is that it has these DLL dependencies that it's required to
run. So I saw these dependencies being dropped by the Steeler, but actually within the Steeler,
even further were these embedded strings that actually would say things like Rise Pro Support,
would say things like Rise Pro support, which was very odd. So even though it looked like it was a sample of the DAR, it had these strings identifying it as Rise Pro, which might not set
off any red flags right away. But since we had just seen it as a Steeler being attributed to logs on a illicit community marketplace, it stood out even more.
And that was kind of when I was like, oh, this actually, this might be a new fork of a dar.
And the dar is a little notorious for being forked. It's actually happened twice in the past.
Notably, in 2019, a dealer named Oski came about, which ended up
being a fork of Vidar. Also, the most notable aspect of that were those DLL dependencies. And
then in 2021, Mars Steeler was a new piece of malware being sold as a service that also ended up being a fork of Vidar.
If we're going with the notion that Rise Pro may have come from Vidar, what sorts of changes did
they make to make it their own? So there have been very little changes significantly in some of the C2 commands. They added this ping map command, which is just kind
of like a beacon out. And some of the URI structure is different. I also want to say that I'm speaking
on a kind of behavioral analysis level. We haven't done the in-depth code analysis to really dig into the structure yet, but just from these behavioral points, we were able to say with a pretty high confidence that this was just another Vidar fork.
I see. Well, let's start from the beginning here. I mean, how would someone find themselves with this on their system?
start from the beginning here. I mean, how would someone find themselves with this on their system?
Yeah. Rise Pro was most notably being dropped by a downloader called Private Loader. Downloaders are a piece of malware that their entire purpose is once they're on an infected system to just
drop more payloads through downloading them, usually from a C2 server.
In this case, it was Private Loader.
It was first discovered in early 2021.
And what was unique about Private Loader is,
as opposed to just being a standalone downloader malware,
it is actually part of a greater service, usually referred to as
pay-per-install services. Essentially, the threat actor that develops this loader,
they manage a botnet where other threat actors can go to them, pay them a certain amount of money,
and the threat actor will actually then drop additional payloads on
already infected systems for a price. And that's kind of the idea of a pay-per-install service.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at
zscaler.com slash security.
so if i find myself with this on my system what happens what does it go about doing and and how does it go about doing it yeah so initially what would happen with a loader is
they they'll usually get onto your system through standard initial infection vectors. So a lot of times that'll be phishing.
There will be a document in the phishing email that you download
that may have a macro embedded in it.
And then if a victim were to actually execute the document
and the macro inside of it,
then the downloader would be dropped on the system.
And dropped in this case refers to the malware
actually being embedded within the malicious,
let's call it like a Word doc in this case.
So there is no need for the macro to reach out to a C2 server
or do any sort of networking.
macro to reach out to a C2 server or do any sort of networking, it will just extract the downloader from the envelope and then execute it on the system. From there, the downloader will
attempt to perform the additional networking activities, such as reaching out to a C2 server,
where it will begin pulling payloads. And because this is a pay-per-install service,
these payloads will just be dependent on the customers using the private loader service.
In the past, we've seen different payloads being dropped, such as
Redline Stealer and Smoke Loader. And then it's also been identified in other open source reporting
that Vidar has been dropped. So that's interesting as well that there's been Vidar and
Rise Pro as well. And then through some of our research, we were able to identify
some of our research, we were able to identify that some Rise Pro samples were being dropped by a private loader as early as April 2022. And we've also seen some in November and December
of 2022 as well. Now, is Rise Pro specific in the types of things that it's looking for, or does it try to grab everything,
or can the person who's purchased the use of this, can they dial that in?
It can, depending on how granular a customer may want a Steeler to be. There's different ways
to determine what the Steeler will actually be grabbing off the system,
usually through like regular expression masks. So if there's specific like file names or keywords
that a customer may want exfiltrated off of a system, they could specify that in the build of
the malware through the grabber. And then on a more general level,
Steelers will target browsers and possibly crypto wallets
being saved on the system locally.
Within the browsers,
the Steeler is interested in exfiltrating
any autofill data.
They're interested in taking cookie data specifically is really valuable to threat
actors. So they will target the cookie logs of a browser and just dump them and then send them off
to a C2. To what degree are they trying to be stealthy here and hide what they're up to?
In Rise Pro Stealers case, it didn't look like there was a lot of
emphasis on the stealthiness. They were going through the system using registry keys where
this data is stored, and they go through and run these processes. Then they will take a screenshot of the desktop. They'll grab files
based on those regular expressions that a customer may have specified, compile them all in a zip file,
usually in a temp folder, and then exfiltrate them off the system. Though also with Rise Pro's case, there's several URIs that were being used for command and control purposes.
So there was things like one of these URLs was git grabbers,
and that is those regular expression masks to determine what files need to
be exfiltrated off of the system. And so when Rise Pro would go through an infection, it would
be reaching out to the C2 server like five to 10 times maybe on a single infected system.
So what are your recommendations then? I mean, based on the information that you all have gathered here, what's the best way for folks to protect themselves?
of being aware of what emails you're looking at, what you're downloading onto your system,
because that's your first line of defense. If you're getting a email with maybe it could be an Excel file, it could be a Word doc. And when you open it, it's asking you to enable macros,
maybe take a second look at that. Also just being diligent with the downloading of softwareers on a system
because what stealers are looking for is pretty unanimous, even across different builds and
versions of what a stealer is. So they'll be tapping the same registry keys. And that's easy
to write signatures for antivirus. So making sure you have an antivirus installed on your system is
and actively monitoring is very important.
Our thanks to Marissa Atkinson from Flashpoint for joining us. The research is titled Rise Pro
Stealer and Pay-Per-Install
Malware, Private Loader. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWires's Research Saturday podcast
is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Trey Hester,
Brandon Karp, Eliana White,
Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan, Carol Terrio, Thanks for listening.
We'll see you back here next week.