Table of contents
Context
PrivateLoader is an active malware in the loader market, used by multiple threat actors to deliver various payloads, mainly information stealer. Since our previous investigation, we keep tracking the malware to map its ecosystem and delivered payloads. Starting from this tria.ge submission, we recognized a now familiar first payload, namely PrivateLoader. However, the dropped stealer was not part of our stealer growing collection, notably including RedLine or Raccoon. Eventually SEKOIA.IO realised it was a new undocumented stealer, known as RisePro. This article aims at presenting SEKOIA.IO RisePro information stealer analysis.
Quick infection review
Based on the tria.ge submission, the first payload is a PrivateLoader. The sample fetches a document hosted on sun6-23.userapi.com. This dropped file is the starting point of this analysis.
The downloaded file is obfuscated using bytes substitution followed by a XOR operation with a fixed key. (See: deobfuscation script in the annex). Tria.ge automatic analysis suggests a stealer.
- PrivateLoader SHA-1: da3aea62ddf57c895acf630b62e972ef70defb60
- Download BMP SHA-1: d94e061e93f7ac003b01c0c9d12dbbb26f87d13e
- Deobfuscated BMP SHA-1: 17ba58fcfe47c49baeaba9aaebd8f888ed2d9473
NB-1: The PCAP of the initial payload shows requests to RisePro infrastructure before PrivateLoader communication. Hypotheses about the future of the Stealer are presented in the conclusion.
NB-2: The name of the distributed payload by PrivateLoader is StealerClient.bmp.
Malware analysis
The stealer offers similar functionalities as other malware of the family. It targets a wide range of web browsers for credentials, cookies, credit cards and crypto wallet via web browser extensions and 2FA software, and a file grabber functionality. To reduce its detection, RisePro hides its configuration such as string or imported DLLs using XOR instructions using different keys. The malware communicates over HTTP and content of the communication is obfuscated using bytes substitutions and XOR operations. Finally, the malware has the capability to load other payloads.
Dynamic lookup of APIs via GetProcAddress
The malware obfuscates its strings using XORed 128 bits (representing integer data). The image below highlights the deobfuscation routine, as well as the dynamic function loading using the technique GetModuleHandle technique associated with GetProcAddress.
Embedded DLLs
Some samples of RisePro embed legitimate DLLs such as sqlite3.dll and mozglue.dll used to access the web browsers data. Theses DLLs are stored in cleartext in the PE, they are dumped on the disk in the working directory of the malware: (working directory is composed of C:\Users\Admin\AppData\Local\Temp\ followed by LocalSimbaD and ten random alphanum characters).
In case these DLLs are not embedded in the malware, it fetches them on its C2 by requesting the /get_library endpoint with a POST request, where the body of the request is ‘name=<dll name>’. The server answers the URL to download the requested DLLs. Every C2 tracked by SEKOIA.IO host the DLLs under the /static/ directory:
Host fingerprinting
RisePro Stealer has a fingerprint capability, all information are retrieved in the following registry keys:
- SOFTWARE\Microsoft\Cryptography
- SOFTWARE\Microsoft\Windows NT\CurrentVersion
- HARDWARE\DESCRIPTION\System\CentralProcessor\0
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
The fingerprinting is gathered and saved at the beginning of the file informations.txt exfiltrated to the C2 at a later stage during the infection process.
RisePro retrieves the infected host public IP address with a fallback functionality. It attempts to get this information from ipinfo.io fails, it tries on api.db-ip.com. Should this also fail, a last option is to contact maxmind.com which is a service for IP address geolocalisation.
The stealer also takes a screenshot of the infected host.
If the screenshot is saved in the working directory of the malware as screenshot.png, the file will also be exfiltrated by the malware in the ZIP file.
Stolen Information
The stealer targets cookies, saved passwords, saved credit cards and crypto wallets and also installed softwares for credentials.
Web browsers: Google Chrome, Firefox, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot, CentBrowser, 7start, ChomePlus, Iridium, Amigo, Opera, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom.
Browser extensions: Authenticator, MetaMask, Jaxx Liberty Extension, iWallet, BitAppWallet, SaturnWallet, GuildWallet, MewCx, Wombat, CloverWallet, NeoLine, RoninWallet, LiqualityWallet, EQUALWallet, Guarda, Coinbase, MathWallet, NiftyWallet, Yoroi, BinanceChainWallet, TronLink, Phantom, Oxygen, PaliWallet, PaliWallet, Bolt X, ForboleX, XDEFI Wallet, Maiar DeFi Wallet.
Software: Discord, battle.net, Authy Desktop.
Cryptocurrency assets : Bitcoin, Dogecoin, Anoncoin, BBQCoin, BBQCoin, DashCore, Florincoin, Franko, Freicoin, GoldCoin (GLD), IOCoin, Infinitecoin, Ixcoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, Litecoin, Reddcoin.
The stealer also looks for particular file patterns, for example receipt with credit card information in common folders (for instance, Desktop, Download, %TEMP%).
As previously introduced, stolen data are copied to the working directory of the malware to be compressed in a ZIP file, exfiltrated during the late HTTP message.
The filename of the stolen data respects the format: `country code_victim ip address.zip`.
Command and Control communication
Method | Endpoint | Parameter(s) | Response |
GET | /pingmap.php | Constant string : 918_tok | |
GET | /freezeStats.php | uid | |
POST | /get_marks.php | uid | {“success”:true,”result”:{“marks”:[]}} |
POST | /get_settings.php | uid | {“success”:true,”result”:{“settings”: { “_id”:”62b109591bde0e1b356c4c3b”, “HWIDduplicatesDay”:true, “HWIDduplicates”:false, “IPduplicates”:false, “telegram”:true, “discord”:true, “screenshot”:true, “cryptoWallets”:true, “netHistory”:true, “staticMarks”:””, “telegramIds”:”463473532″], “createdAt”:”2022-06-20T23:57:13.984Z”, “__v”:0}}} |
POST | /get_grabbers.php | uid | {“success”:true,”result”:{“grabbers”:[]}} |
POST | /get_loaders.php | uid | {“success”:true,”result”:{“loaders”:[]}} |
POST | /set_file.php | Multi form, first one is the uid, the second form is a boundary file which contains a ZIP file obfuscated | JSON with status |
While RisePro communicates over HTTP in JSON format, the exchanged messages are obfuscated, with bytes substitution and a XOR operation.
This obfuscation is interesting because it uses the same byte substitution tables as PrivateLoader. The only difference is the value of the XOR key, PrivateLoader uses the value 0x9d and RisePro uses 0x36. The similarity between these two malwares is detailed in the dedicated section (c.f:. Similiarities)
Original byte | Replacement byte |
0x00 | 0x80 |
0x80 | 0x0a |
0x0a | 0x01 |
0x01 | 0x05 |
0x05 | 0xde |
0xde | 0xfd |
0xfd | 0xff |
0xff | 0x55 |
0x55 | 0x00 |
Loader capability
It is likely that RisePro is able to load and execute a next stage, whose configuration is dynamically set by C2 communication on the /get_loader.php endpoint. This endpoint provides the next payload to execute. As none of the RisePro samples analysed by SEKOIA.IO downloaded a next stage payload or used this functionality, we assess this feature is still under development.
In case RisePro is configured with a next stage, the PE will be written in the same malware working directory.
Similarities
Code & functionalities
During our investigation, we observed PrivateLoader and RisePro Stealer’s behaviours partially overlap. Here is a list of specific functionalities shared by the two malware:
- Strings obfuscation technique: (xor operation on 128 bits (representing integer data), pxor) with the same key for a set of functionalities;
- HTTP method and port setup;
- HTTP message obfuscated with the same mode (byte substitution with same replacement values followed by a XOR operation);
The similarity spotted between these two malware is buttressed by the output of Bindiff, which shows more than 30% of code similarity.
RisePro SHA-1: f6f143269c430a30003b9027c0f90f59388d65e4
PrivateLoader SHA-1: d231903de12e11e94f3b52c5b71fe8a6ecf30458
Infrastructure
Starting from PrivateLoader wfsdragon.]ru domain, it is possible to pivot on the nameserver of the domain (which is hosted on cloudflare) which return a long list of domain distributing PrivateLoader samples (cf.: Annexe: IoCs – Shared domains based on NS) and three domains related to RisePro:
- m-rise.]pro
- my-rise.]pro
- myrise.]pro
PS: The previous query can be improved by a_record:104.21.0.0./16 to filter domains related to RisePro and PrivateLoader on the same NS`
From the list of domains returned by the first query, a new part PL infrastructure could be highlighted by searching domains on this AS containing ‘files‘.
Another query used to increase visibility into PrivateLoader infrastructure is to search for URLs with the parameter ‘zip?c=‘ which translates into the following query: ‘entity:url url:”.zip?c=”‘ hostname:file’. Moreover, since early December, the threat actors expanded their infrastructure to include a new pattern for its delivery domain, which can be retrieved with the following query: ‘entity:url url:”.zip?c=” hostname:soft‘.
NB: A majority of the domains with the ‘file’ pattern where used during October and November but are down by now.
Besides, the two domains extracted from RisePro samples:
- gamefilescript.]com
- neo-files.]com
SEKOIA.IO analysts pivot on the whois record with the following virus total query: ‘entity:domain ( whois:be03d85074711f86 OR whois:b4208f2c291398c5 )‘ yielding a long list of domain that again contains ‘file‘. (cf.: Annexe: IoCs – Domains share same whois)
While browsing the domains, it appears there are download link managers, the final payload are password protected archives hosted on compromised WordPress. As shown by figure 10, websites are only used to provide instructions (Download URL and archive password).
The redirect URL to download the malware changed regularly, at least once a day. Most of the distribution domains are now down or for sale, which highlights the volatility of their infrastructure.
The payload available for download on compromised WordPress is PrivateLoader that installs a package of information stealer (RedLine, MixLoader, Vidar, etc…) for instance: Tria.ge : 2507f7ca248884372a3088bf6413bd8292f898ca.
Accesses & Support – Contacts
RisePro is available for sale on the Telegram account of the developper: hxxps://t.]me/RiseProSUPPORT which is an obfuscated string embedded in the PE. There is also a Telegram channel to interact with infected hosts: hxxps://t.]me/RisePro (name: Rise bot). To interact with the host, attackers must provide the bot ID defined by the bot itself, and sent to the C2 during the infection c.f.: Table 1, endpoint: /set_file.php response.
Threat Actors have access to the stolen data on the administration panel hosted at: hxxps://my-rise.]cc. To create an account the provided email address must be trusted by the solution. The domain my-rise.cc serves as a front end, and all requests are sent to the subdomain api.my-rise.]cc.
Conclusion
SEKOIA.IO analysts understanding of the threat is that PrivateLoader is still active and comes with a set of new capabilities. Similarities between the stealer and PrivateLoader could not be ignored and provides additional insight into the threat actor expansion.
SEKOIA.IO analysts first hypothesis is that RisePro Stealer might be a simple PrivateLoader version with pre-configured build to download its own stealer (NB: Side note, this version does not use a Dead Drop Resolver technique). A second hypothesis is that PrivateLoader simply evolved and a different unidentified PPI vendor provides RisePro installation via PrivateLoader. At the time of writing, it is not clear whether RisePro is authored by PrivateLoader developers. Another intelligence gap is whether RisePro is offered by the same PPI service as PrivateLoader, or whether PrivateLoader authors maintain links with RisePro authors. SEKOIA.IO analysts will keep tracking this threat to gain more knowledge into this specific question, and welcome any input that could help us to fill the gap. SEKOIA.IO will keep tracking this threat to provide as much as possible information to this question.
IoCs & Technical Details
IoCs
RisePro C2
- 108.174.199.]249
- 108.174.200.]11
- 108.174.198.]132
- my-rise.]cc
- api.my-rise.]cc
Shared domains based on NS
- greatsofteasy.]com
- fixgroupfactor.]com
- webproduct25.]com
- gs24softeasy.]com
- torggissoft.]com
- teleportsoft.]com
- testitsoft.]com
- factor1right.]com
- best24-files.]com
- first-mirror.]com
- elite-hacks.]ru
- jojo-files.]com
- my-rise.]cc
- xx1-files.]com
- hero-files.]com
- my-rise.]pro
- m-rise.]pro
- pu-file.]com
- pickofiles.]com
- vi-files.]com
- qd-file.]com
- uc-files.]com
- myrise.]pro
- uni-files.]com
- fvp-files.]com
Domains sharing same whois
- get-files24.]com
- softs-portal.]com
- boost-files.]com
- files-rate.]com
- get-24files.]com
- upxlead.]com
- gg-download.]com
- files-sender.]com
- rate-files.]com
- gg-loader.]com
- neo-files.]com
- vip-space.c]om
- pin-files.]com
URLs with pattern zip?c=
- filesuk.]com
- filecryptobur.]com
- socialfiletest.]com
- www.filefactory.]com
- vi-files.]com
- pu-file.]com
- topfilesstorage.]com
- clubfiletyc.]com
- filessoftpc.]com
- smartfilegen.]com
- filessite.]com
- speedtestfile.]com
- filesredproflex.]com
- filefactory.]com
- accesstostofilestorage.]com
- getfileasap1.]com
- fileswhiteprosoft.]com
- yfilesstorage1.]com
Samples
- a5076f73a1cfd10fedf1368a26f9f358, 77270de2b41a639e9ca285f9014502a1a5b0b020, c70e26edeacbf1fa052f073959403ee9337a4aed13833553f8a3856fae013c9e
- 76ef5db3addbe357e753de73e7db258e, c126c8cc75f6f6ac4b4af125b85c499814053094, 478e97b727eb82979087c1d4c2450be18c2d3413ca8c648e7e2a067595ef8511
- 9b98ec558eb6fe1e4055d7535e17e37c, 1e416f2c40dfc44e60a65df8fd57524bf8e6f5ad, 5facf25f6b0d35a79444949b3175fabf3d788cbfbbbbb6551a867e1ddceb00a5
- 2ecae8d74f6cedfe5f06fd424c3cdc77, 0812df9653b27d994eb5f62e243a63d3ea28b1ec, 75b395cc766351e6f44f36dcbfdbabc2c4b43ef6fb26f845fb55569a57ebdbdd
- a0dfcfb9936669128353663b82fa01b3, 400d3908600b45a8e27f9133cb4950f1e11d5b8d, 3fea5da905fb8cdb9ef203f85a2b0d37d9cbc8067fbf64d3e1849e84d99de3ee
- e6b0e14676e5b72a638a142e46f658d9, 77723f0e3c933eff00e0ce1c823aee668d5c3bea, 2d34e214cbb14456357d2e3381692d188b1004d8ff26280e430c716e6e3730b6
- ac2eae79e66ddf808900b5e2e261da9b, 69a403b81608457ad7106d4215e48e9207367f66, 49fea24c6d2f6340755a22687a6daf63ff2692fe81e6e067b8b2465bc21f49f9
- 12db8a9a0fb6baec2f801c640a8a4197, afa864c0d0fde050fd0d8694bf895b72d449969b, ae8becfd65df0625c7e4f2069cb57e6f3c022aff24db51666b4d8b8c6ab15a15
- b3fbff1358ce82bc71009634c19ba2bf, 4b3d77895cd313db37793db0e5eb5fa2859c01b2, 28820e270265796566d6651f16651a5fd6c412b9290be07d2829c444d9392a02
- dbe7d59705f5f919cc6354b81d746584, cc6284365d1d47460bed78dce4e237b95166a859, 3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
- 46847232153f38a0326fe0e677a25b9e, f2303a12b73b6b033dde297ef8bdaf3f4cba6864, aa80643e117a896314fe6b1785cb65ab53561f66f5b679ba9f16a05f36e28674
- 319e5fbf83add883095fef277ac8e092, 8ae961c6b93f01bb6d7927223041f2d18ed3a2f9, b295631063a6186a09a9dfee224bca7af6d4ab1650e9d63cdc325cf3fe1cd3d6
- 5ab956806ec2e729b2c9c260ee3139f2, cb80fb19380b3dd20032763daa460af4452eebd7, ffae7d880fcb139d03941e1bc658ce463e179435f438d945c74067fe291beb23
- dbe7d59705f5f919cc6354b81d746584, cc6284365d1d47460bed78dce4e237b95166a859, 3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
- e7cba894426bd9ca2cdc8b6d7ef31aae, 44afc3c4f62f062a746710440dde3ff7f29b4440, ad75f79f985b4ec690fe9280108ae51cec8ef1650581ed4e26497a5e2c2f3ef9
- 5df54fe48769bae887eaacb70eb23742, 0a20d79f8de58a088624f964f448846f5fe74afa, 4107f3166ce3c67f375514ed039d663f197261126724f229e8d3cda2e62728d0
- 0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233, 440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43
- 0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233, 440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43
- 0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233, 440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43
- 5df54fe48769bae887eaacb70eb23742, 0a20d79f8de58a088624f964f448846f5fe74afa, 4107f3166ce3c67f375514ed039d663f197261126724f229e8d3cda2e62728d0
- 0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233, 440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43
- 5df54fe48769bae887eaacb70eb23742, 0a20d79f8de58a088624f964f448846f5fe74afa, 4107f3166ce3c67f375514ed039d663f197261126724f229e8d3cda2e62728d0
- 0fc293ca3b73d1166ab149213ff1a240, 8b2a98870e2a1bd02bf72fc262068d07e620a233, 440cec1dd86d03c4e9a29a7b297a30a211f17d48828934a5a7121f1f4b97ef43
- 5df54fe48769bae887eaacb70eb23742, 0a20d79f8de58a088624f964f448846f5fe74afa, 4107f3166ce3c67f375514ed039d663f197261126724f229e8d3cda2e62728d0
- fd1cabdc949d19b07ca9bfa206ae8560, f0eea0d1acca29bc82bcfe94b1ccb28d04581579, 057b33d69a28fb08733bb710ca22036aaee853791b958e8c4e0c81ae5eed6fcd
- 95fa2ab112ca196dfe5bdf0c13dd9396, d1e5ad285bb4506ae77c589682a5bc0a2afdec35, 58b1210213ac1cb9c4efe63d43390dfd43bf094408b16033f176e6700ad0fb29
- 95fa2ab112ca196dfe5bdf0c13dd9396, d1e5ad285bb4506ae77c589682a5bc0a2afdec35, 58b1210213ac1cb9c4efe63d43390dfd43bf094408b16033f176e6700ad0fb29
- 03366311b4fbe98c0a919b210cf2fa2b, c3f5b4a2203bf7769963852070f75ae7540fd180, 9564a7f5d7132fe8a97450e0fa4b628b7d802c885f034dc5d094260ff6a76716
Script
import sys
from copy import copy
def deobfuscate(filename: str) -> None:
print(f"deobfuscate RisePro data: `{filename}`")
with open(filename, "rb" )as f:
data = bytearray(f.read())
data2 = copy(data)
data2 = replace_all(data, data2, 0x00, 0x80)
data2 = replace_all(data, data2, 0x80, 0x0a)
data2 = replace_all(data, data2, 0x0a, 0x01)
data2 = replace_all(data, data2, 0x01, 0x05)
data2 = replace_all(data, data2, 0x05, 0xde)
data2 = replace_all(data, data2, 0xde, 0xfd)
data2 = replace_all(data, data2, 0xfd, 0xff)
data2 = replace_all(data, data2, 0xff, 0x55)
data2 = replace_all(data, data2, 0x55, 0x00)
unxored = bytearray()
for byte in data2:
unxored.append(byte ^ 0x36) # 0x36: RisePro and 0x9d for PrivateLoader
with open(f"unxored.zip", "wb") as f:
f.write(unxored)
def replace_all(data: bytearray, data2: bytearray, x: int, y: int) -> bytearray:
print(f"replace all {hex(x)} by {hex(y)}")
for index, byte in enumerate(copy(data)):
if byte == x:
data2[index] = y
return data2
if __name__ == "__main__":
deobfuscate(sys.argv[1])
YARAs
Disclaimer, we removed the YARA rule due to false positives.
TTPs
Tactic | Technique |
Collection | T1213 – Data from Information Repositories |
Collection | T1113 – Screen Capture |
Credential Access | T1555.004 – Credentials from Password Stores: Windows Credential Manager |
Defense Evasion | T1140 – Deobfuscate/Decode Files or Information |
Defense Evasion | T1222 – File and Directory Permissions Modification |
Defense Evasion | T1027 – Obfuscated Files or Information |
Defense Evasion | T1027.005 – Obfuscated Files or Information: Indicator Removal from Tools |
Discovery | T1087 – Account Discovery |
Discovery | T1083 – File and Directory Discovery |
Discovery | T1057 – Process Discovery |
Discovery | T1012 – Query Registry |
Discovery | T1518 – Software Discovery |
Discovery | T1082 – System Information Discovery |
Discovery | T1614 – System Location Discovery |
Discovery | T1614.001 – System Location Discovery: System Language Discovery |
Discovery | T1033 – System Owner/User Discovery |
Execution | T1129 – Shared Modules |
Persistence | T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
External References
- https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/
- https://intel471.com/blog/privateloader-malware
- https://www.zscaler.com/blogs/security-research/peeking-privateloader
- https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service
You can also read other blog post :
- Raccoon Stealer v2 – Part 2: In-depth analysis
- Hunting and detecting Cobalt Strike
- Raccoon Stealer v2 – Part 1: The return of the dead
- Lapsus$: when kiddies play in the big league
- BumbleBee: a new trendy loader for Initial Access Brokers
- Unveiling of a large resilient infrastructure distributing information stealers
- Raspberry Robin’s botnet second life
- Command & Control infrastructures tracked by SEKOIA.IO in 2022
- Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1
- Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2
- Peeking at Reaper’s surveillance operations
- CustomerLoader: a new malware distributing a wide variety of payloads
Discover our: