GitHub Crack Campaign Unveils RisePro Information Stealer: Cybersecurity Alert

Cybersecurity researchers recently uncovered a series of GitHub repositories housing cracked software, utilized as a vehicle to distribute a pernicious information stealer dubbed RisePro.

Dubbed the "gitgub" campaign, the initiative featured 17 repositories linked to 11 distinct accounts, as per findings by G DATA. These repositories have since been removed by the Microsoft-owned platform.

According to the German cybersecurity firm, the repositories shared a common structure, flaunting a README.md file enticing users with the allure of free cracked software. Notably, to add a semblance of legitimacy and currency, threat actors adorned these README files with four Unicode green circles, mimicking the status indicators commonly seen on GitHub, alongside a current date.

The list of implicated repositories includes various software titles, each directing users to a download link hosted on "digitalxnetwork[.]com," offering a RAR archive file. These titles ranged from AVAST and Sound Booster to Daemon Tools and Tenorshare Reiboot, among others.

Upon extraction, the RAR archives necessitated victims to input a password found within the respective repository's README.md file. Subsequently, victims were greeted with an installer file, which deployed the next-stage payload – an executable file camouflaged to a sizeable 699 MB, seemingly aimed at thwarting analysis tools like IDA Pro.

However, the actual payload concealed within amounted to a mere 3.43 MB and operated as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe processes.

RisePro initially gained notoriety in late 2022 when it was disseminated via a pay-per-install (PPI) malware downloader service dubbed PrivateLoader. Written in C++, the malware is engineered to harvest sensitive data from infected hosts, subsequently funneling it to two Telegram channels often frequented by threat actors.

Recent research from Checkmarx underscored a vulnerability in Telegram's platform, enabling infiltration and message forwarding from an attacker's bot to alternate Telegram accounts.

In parallel developments, Splunk outlined the tactics employed by Snake Keylogger, characterizing it as a multifaceted stealer malware leveraging FTP for secure file transfer, SMTP for sending sensitive data-laden emails, and Telegram for real-time communication.

The rise of information-stealing malware signifies an escalating digital threat landscape, as highlighted by a Specops report identifying RedLine, Vidar, and Raccoon as prevalent stealers. Notably, RedLine alone purportedly pilfered over 170.3 million passwords within the preceding six months.

This surge in stealer malware underscores the evolving threat landscape, with Flashpoint emphasizing their adaptability and increased accessibility, posing significant challenges for cybersecurity practitioners.