Two separate cybersecurity companies (Flashpoint and Sekoia) have uncovered a brand new malware called “RisePro”.
RisePro is distributed through websites that host pirated software, crackers, installers, and similar illegal content, and it even infects endpoints through PrivateLoader, a pay-per-download (PPI) malware distribution service.
According to the researchers, RisePro bears many similarities to PrivateLoader, and according to the researchers, this means that the malware distribution platform now has its own information thief. Moreover, because it uses the same system of embedded DLL dependencies, the researchers also discovered that the software is basically built on Vidar.
Another really good reason not to download pirated software
RisePro searches for data from an extensive list of browsers, browser extensions, and cryptocurrency wallets, including Google Chrome, Firefox (and 30 other browsers), Authenticator, MetaMask, and Coinbase (and 26 other browser extensions). It also steals data from Discord, battle.net, Authy Desktop and can scan file system folders for valuable data holding credit card information, for example.
According to Flashpoint, criminals have already started selling RisePro logs containing sensitive, personally identifiable data on Russian dark web markets. Bad actors interested in purchasing the logs or the vehicle itself can do so by interacting with other bad actors via Telegram via the Telegram bot.
Researchers describe PrivateLoader as a pay-per-install malware distribution service, and it often looks like a software crack or a keygen. PrivateLoader has so far only distributed RedLine Stealer or Raccoon, both very popular information thieves in the cybercrime community.
The best way to protect against such threats is to avoid downloading illegal content in the first place and only download software from legitimate, verified sources. A strong antivirus solution would also be helpful.