“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader”

RisePro’s presence on Russian Market, and the appearance of the stealer as a payload for a pay-per-install service, may indicate its growing popularity—and viability—within the threat actor community.

December 19, 2022

Key takeaways

  • “RisePro” is a stealer malware that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022. 
  • RisePro’s presence on Russian Market may indicate its growing popularity within the threat actor community. 
  • Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year. 
  • The appearance of the stealer as a payload for a pay-per-install service may indicate a threat actor’s confidence in the stealer’s abilities.
  • RisePro appears to be a clone of the stealer malware “Vidar.”

RisePro logs on Russian Market

“RisePro” is a newly identified stealer written in C++ that appears to possess similar functionality to the stealer malware “Vidar.” RisePro targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs. 

Flashpoint first identified RisePro on December 13, 2022 after analysts identified several sets of logs uploaded to the illicit underground market Russian Market, which listed their source as “risepro.” 
Russian Market is a log shop similar to other log markets, such as Genesis, in which threat actors can upload and sell logs collected from stealers. At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.

RisePro stealer logs appear on Russian Market. The earliest recorded upload of logs using RisePro occurred on December 12, 2022. (Source: Flashpoint)

We have identified malicious samples that appear to be related to RisePro based on identifying strings in the samples. During investigations of open source intelligence, such as open source sandbox analyses from other security researchers, our analysts identified several samples of RisePro that were dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader.” 

PrivateLoader allows threat actors to buy the ability to have it download malicious payloads onto infected systems. Pay-per-install services are not a novel business model for threat actors operating botnets. Flashpoint analysts have observed advertisements of these types of services in the past on forums and within Telegram, which is commonly used by these stealers for customer support.

Vidar and RisePro stealers

RisePro appears to be written in C++. When reviewing the functionality of this stealer, analysts recorded similarities between RisePro and other stealer malware families. Most notably, RisePro’s uses dropped dynamic link library (DLL) dependencies that are known to be used by the stealer Vidar. 

DLL dependencies dropped by RisePro. (Source: Joe Sandbox)

This would not be the first time analysts observed a clone of Vidar being passed off as another malicious service. Vidar was originally a fork of a stealer called “Arkei” and was fully cracked and analyzed by researchers in 2018. 

At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.

Arkei originally did not have DLL dependencies—these files were first introduced in the Vidar iteration of the stealer. Since then, notable clones of Vidar include the “Oski” and “Mars” stealers. Analysts assess this proliferation of clones is likely due to the malware being cracked. 

Analysts assess that RisePro is very likely a clone of Vidar stealer.

Indicators of compromise (IOCs)

Here are the identified hash samples of RisePro:

  • E0579dc3a1e48845194d9cd9415ae492d375fd59cea0e1adf21866afde152f89
  • C633d7549fb4a77e02fa1e48f8fb3e3b41d8a998778d2e2c024949673dad0ba5
  • d9445561cef089271565e3fe54b8da7aff3ecfe73506762ffcdaedc3615180ba
  • 8259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246
  • 867254ba74add6d8e7484dbdd6d45a4c12acd9e31870d84d9efe202945191286
  • 5ee280016fc53c27bbc6d049820cb6dfd33bc4e9e5c618027677793f070eefee

Command and control (C2) domains

  • neo-files[.]com
  • gamefilescript[.]com

RisePro command and control URI structure

  • /set_file.php
  • /get_loaders.php
  • /freezeStats.php
  • /get_grabbers.php
  • /get_marks.php
  • /get_settings.php
  • /pingmap.php

Protect your data and assets with Flashpoint

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical threats and protect people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Begin your free trial today.