Beware the Cracked Software Trap: Protecting Your Business from the RisePro Info Stealer Malware Campaign

Uncovering the GitHub-based Scheme Delivering Malicious Payloads under the Guise of Pirated Software

Written by
Jacky Chow
Published on
March 16, 2024

Introduction

In the ever-evolving landscape of cybersecurity threats, cybercriminals are continuously devising new and innovative ways to compromise the security of businesses and individuals. One such threat that has recently come to light is the RisePro information stealer malware, which is being distributed through a concerning campaign involving cracked software hosted on GitHub repositories.

This comprehensive blog post will delve into the details of this malicious campaign, codenamed "gitgub," and provide valuable insights to help organizations protect themselves from the dangers of RisePro and other information stealer malware. By understanding the tactics employed by these cybercriminals, we can empower businesses to make informed decisions and implement robust security measures to safeguard their sensitive data and critical systems.

The "Gitgub" Campaign: Leveraging Cracked Software to Deliver RisePro Malware

Cybersecurity researchers from G DATA have uncovered a disturbing campaign that leverages cracked software hosted on GitHub repositories to distribute the RisePro information stealer malware. The campaign, dubbed "gitgub," involves a network of 17 repositories associated with 11 different accounts, all of which have since been taken down by GitHub, the Microsoft-owned code hosting platform.

The modus operandi of the "gitgub" campaign is deceptively simple, yet effective. The repositories feature a README.md file that promises free, cracked software, complete with green Unicode circles that mimic the status indicators commonly used on GitHub. This illusion of legitimacy and recency is designed to lure unsuspecting victims into downloading the "cracked" software, which in reality contains the payload for the RisePro malware.

Upon downloading the RAR archive file from the repository's download link, victims are prompted to enter a password mentioned in the README.md file. This password-protected archive contains an installer file that, when executed, unpacks the next-stage payload – a 699 MB executable that is likely intended to overwhelm and crash analysis tools like IDA Pro.

The actual malicious contents of the file, a mere 3.43 MB in size, serve as a loader to inject the RisePro information stealer (version 1.6) into either the AppLaunch.exe or RegAsm.exe processes. This allows the malware to infiltrate the victim's system and commence its data-harvesting activities.

The Dangers of RisePro: An Evolving Threat to Sensitive Data

RisePro, the information stealer malware at the heart of the "gitgub" campaign, first gained attention in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader. Written in C++, RisePro is designed to gather a wide range of sensitive information from infected hosts, including login credentials, financial data, and other personal information, and exfiltrate it to two Telegram channels.

The use of Telegram channels for data extraction is particularly concerning, as it provides a real-time communication platform for threat actors to receive and potentially monetize the stolen data. Recent research has even shown that it is possible for attackers to infiltrate and forward messages from their own Telegram bot to another account, further complicating the task of defending against such threats.

RisePro is part of a broader trend of information stealer malware becoming increasingly prevalent. According to a report from Specops, RedLine, Vidar, and Raccoon have emerged as the most widely-used stealers, with RedLine alone responsible for the theft of more than 170.3 million passwords in the last six months. These stealers often serve as precursors to more devastating attacks, such as ransomware or data breaches, making them a significant threat to businesses of all sizes.

Safeguarding Your Business: Strategies to Mitigate the Risks of Information Stealer Malware

To effectively protect your organization from the dangers of RisePro and other information stealer malware, it is essential to implement a comprehensive cybersecurity strategy that addresses both technical and human-centric aspects of security. Some key recommendations include:

  1. Educate Employees on Cybersecurity Best Practices: Regularly train your employees to recognize the signs of phishing, social engineering, and other tactics employed by cybercriminals to deliver malware. Emphasize the importance of exercising caution when downloading or installing software from unverified sources.
  2. Implement Robust Access Controls and Privileged Account Management: Carefully manage and restrict user access to sensitive data and systems, ensuring the principle of least privilege is applied. Regularly review and update your access control policies to mitigate the risk of unauthorized access.
  3. Strengthen Your Endpoint Security: Deploy advanced endpoint protection solutions that can detect, prevent, and respond to information stealer malware and other sophisticated threats. Consider partnering with a managed security service provider like Francium Networks to benefit from their expertise and cutting-edge security technologies.
  4. Enhance Threat Intelligence and Incident Response Capabilities: Stay informed about the latest cybersecurity threats, including the evolution of information stealer malware, through threat intelligence sharing and active participation in security communities. Develop and regularly test your incident response plan to ensure your organization is prepared to effectively respond to and recover from a cyber incident.
  5. Implement Secure Software Development Practices: If your organization develops software, ensure that secure coding practices, code reviews, and vulnerability assessments are integrated into your software development lifecycle. This can help prevent the introduction of vulnerabilities that could be exploited by information stealer malware.

Conclusion

The "gitgub" campaign, which leverages cracked software hosted on GitHub repositories to distribute the RisePro information stealer malware, serves as a stark reminder of the ever-evolving tactics employed by cybercriminals to compromise the security of businesses and individuals. As information stealer malware continues to proliferate, it is crucial for organizations to remain vigilant, educate their employees, and implement robust security measures to safeguard their sensitive data and critical systems.

By understanding the techniques used in the "gitgub" campaign and the broader trends in information stealer malware, businesses can make informed decisions and take proactive steps to mitigate the risks. Through a combination of technical security controls, employee training, and collaboration with trusted security providers like Francium Networks, organizations can fortify their defenses and reduce their exposure to the growing threat of information stealer malware.

Subscribe for the latest news
Subscribed successfully
Oops! Something went wrong. Please try again.

Read another article

See all blog posts
Cyber Attack

Combating the Resurgent Vultur Android Banking Trojan with Francium Networks

Safeguarding Your Devices and Data Against Next-Generation Remote Access Malware Threats

Vulnerabilities

Protecting Your Business from Actively Exploited Vulnerabilities

Addressing the Latest CISA Alerts with Comprehensive Managed Security Services

Cyber Attack

Defending Against the Agent Tesla Keylogger Threat

Safeguarding Your Organization from Phishing-Based Malware Attacks and Credential Theft

Protect your business now!

Get Started

A trusted cybersecurity company.

Copyright © 2024 Francium Networks. All rights reserved.
AboutContactPrivacyTerms