Research Saturday 1.7.23
Ep 263 | 1.7.23

Stealer malware from Russia.


Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Marisa Atkinson: So RisePro actually came to our attention through sort of an unconventional mean. We were observing a marketplace that sells stealer logs and noticed that a new stealer source actually popped up on this market. And it was called RisePro. And none of us had really seen that name before in the past. 

Dave Bittner: That's Marisa Atkinson. She's an analyst at Flashpoint. The research we're discussing today is titled "'RisePro' Stealer and Pay-Per-Install Malware 'PrivateLoader'". 

Dave Bittner: Can you just give us a little bit of background for folks who might not be familiar with this? What exactly are we talking about with these stealers? 

Marisa Atkinson: Oh, yeah. So stealers are a type of malware with the specific purpose of once they are dropped on a system, they scrape that system for specific information. So this could be crypto wallets. It could be browser autofills. It could be credit card information, system information, browser cookies. And then it will actually exfiltrate that data to a C2 server, usually as a zip file or something akin to that. 

Dave Bittner: Well, let's go through it together and dig in here. Can we go through some of the technical things that you all discovered? What's going on under the hood here? 

Marisa Atkinson: Yeah. So RisePro was interesting. We actually identified it through open-source means. It was being dropped by PrivateLoader. And this was showing up in a few sandbox reports. What was interesting about RisePro was that at first when we were looking at it, we thought this was just kind of a regular sample of another stealer called Vidar. And Vidar has been around for quite a while now. It was first discovered in 2018, about where its source code was actually cracked. And what's unique about Vidar is that it has these DLL dependencies that it's required to run. 

Marisa Atkinson: So I saw these dependencies being dropped by the stealer. But actually, within the stealer even further were these embedded strings that actually would say things like RisePro support, which was very odd. So even though it looked like it was a sample of Vidar, it had these strings identifying it as RisePro, which might not set off any red flags right away. But since we had just seen it as a stealer being attributed to logs on a illicit community marketplace, it stood out even more. And that was kind of when I was like, oh, this actually - this might be a new fork of Vidar. And Vidar is a little notorious for being forked. It's actually happened twice in the past. Notably in 2019, a stealer named Oski came about, which ended up being a fork of Vidar. Also, the most notable aspect of that were those DLL dependencies. And then in 2021, Mars Stealer was a new piece of malware being sold as a service that also ended up being a fork of Vidar. 

Dave Bittner: If we're going with the notion that RisePro may have come from Vidar, what sorts of changes did they make to make it their own? 

Marisa Atkinson: So there have been very little changes significantly in some of the C2 commands. They added this ping map command, which is just kind of like a beacon out. And some of the URI structure is different. I also want to say that I'm speaking on a kind of behavioral analysis level. We haven't done the in-depth code analysis to really dig into, like, the structure yet. But just from these behavioral points, we were able to say with a pretty high confidence that this was just another Vidar fork. 

Dave Bittner: I see. Well, let's start from the beginning here. I mean, how would someone find themselves with this on their system? 

Marisa Atkinson: Yeah. RisePro was most notably being dropped by a downloader called PrivateLoader. Downloaders are a piece of malware that - their entire purpose is, once they're on an infected system, to just drop more payloads through downloading them, usually from a C2 server. In this case, it was PrivateLoader. It was first discovered in early 2021. And what was unique about PrivateLoader is, as opposed to just being a standalone downloader malware, it is actually part of a greater service, usually referred to as pay-per-install services. Essentially, the threat actor that develops this loader, they manage a botnet where other threat actors can go to them, pay them a certain amount of money, and the threat actor will actually then drop additional payloads on already-infected systems for a price. And that's kind of the idea of a pay-per-install service. 

Dave Bittner: So if I find myself with this on my system, what happens? What does it go about doing, and how does it go about doing it? 

Marisa Atkinson: Yeah. So initially, what would happen with a loader is they - they'll usually get onto your system through standard initial infection vectors. So a lot of times, that'll be phishing. There will be a document in the phishing email that you download that may have a macro embedded in it. And then if a victim were to actually execute the document and the macro inside of it, then the downloader would be dropped on the system. And dropped, in this case, refers to the malware actually being embedded within the malicious, let's call it, like, a Word doc, in this case, so there is no need for the macro to reach out to a C2 server or do any sort of networking. It will just extract the downloader from the envelope and then execute it on the system. 

Marisa Atkinson: From there, the downloader will attempt to perform the additional networking activities, such as reaching out to a C2 server, where it will begin pulling payloads. And because this is a pay-per-install service, these payloads will just be dependent on the customers using the PrivateLoader service. In the past, we've seen different payloads being dropped, such as RedLine Stealer and SmokeLoader. And then it's also been identified in other open source reporting that Vidar has been dropped. So that's interesting as well that there's been Vidar and RisePro as well. And then through some of our research, we were able to identify that some RisePro samples were being dropped by PrivateLoader as early as April 2022, and we've also seen some in November and December of 2022, as well. 

Dave Bittner: Now, is RisePro specific in the types of things that it's looking for or does it try to grab everything? Or can the person who's purchased the use of this, can they dial that in? 

Marisa Atkinson: It can. Depending on how granular a customer may want a stealer to be, there's different ways to determine what the stealer will actually be grabbing off the system, usually through, like, regular expression masks. So if there's specific, like, file names or keywords that a customer may want exfiltrated off of a system, they could specify that in the build of the malware through the grabber. And then on a more general level, stealers will target browsers and possibly crypto wallets being saved on the system locally. Within the browsers, the stealer is interested in exfiltrating any autofill data. They're interested in taking - cookie data, specifically, is really valuable to threat actors, so they will target the cookie logs of a browser and just dump them and then send them off to a C2. 

Dave Bittner: To what degree are they trying to be stealthy here and hide what they're up to? 

Marisa Atkinson: In RisePro Stealer's case, it didn't look like there was a lot of emphasis on the stealthiness. They were going through the system using registry keys where this data is stored, and they go through and run these processes. Then they will take a screenshot of the desktop. They'll grab files based on those regular expressions that a customer may have specified, compile them all in a zip file, usually in a temp folder, and then exfiltrate them off the system. They'll also - with RisePro's case, there are several URIs that were being used for command and control purposes. So there was things like - one of these URLs was get_grabbers, and that is those regular expression masks to determine what files need to be exfiltrated off of the system. And so when RisePro would go through an infection, it would be reaching out to the C2 server, like, five to 10 times, maybe, on a single infected system. 

Dave Bittner: So what are your recommendations then? I mean, based on the information that you all have gathered here, what's the best way for folks to protect themselves? 

Marisa Atkinson: So in terms of recommendations for protecting yourself against not just RisePro but also PrivateLoader is to be really diligent with being aware of what emails you're looking at, what you're downloading onto your system, because that's your first line of defense. If you're getting a email with, maybe it could be an Excel file, it could be a Word doc, and when you open it, it's asking you to enable macros, maybe take a second look at that. Also just being diligent with the downloading of software; in the past, PrivateLoader has been disseminated through advertising itself as cracked versions of paid software. And then additionally, being diligent, making sure you have your antivirus turned on - so Windows Defender is actually pretty good at identifying the activity of stealers on a system because what stealers are looking for is pretty unanimous, even across different builds and versions of what a stealer is. So they'll be tapping the same registry keys, and that's easy to write signatures for antivirus. So making sure you have an antivirus installed on your systems and actively monitoring is very important. 

Dave Bittner: Our thanks to Marisa Atkinson from Flashpoint for joining us. The research is titled ""RisePro" Stealer and Pay-Per-Install Malware "PrivateLoader."" We'll have a link in the show notes. 

Dave Bittner: The CyberWire's "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.