Cybersecurity researchers have uncovered several GitHub repositories that offer cracked software used to distribute an information stealer called RisePro.
The operation, known as gitgub, involves 17 repositories linked to 11 different accounts, according to G DATA. The repositories have been removed by the Microsoft-owned subsidiary.
“The repositories share a common appearance, featuring a README.md file advertising free cracked software,” stated the German cybersecurity company G DATA.
“Gitgub threat actors incorporated four green Unicode circles into their README.md file, giving the impression of a status report along with a current date to appear legitimate and recent.”
Below is a list of repositories that lead to a download link (“digitalxnetwork[.]com”) hosting a RAR archive file –
- andreastanaj/AVAST
- andreastanaj/Sound-Booster
- aymenkort1990/fabfilter
- BenWebsite/-IObit-Smart-Defrag-Crack
- Faharnaqvi/VueScan-Crack
- javisolis123/Voicemod
- lolusuary/AOMEI-Backupper
- lolusuary/Daemon-Tools
- lolusuary/EaseUS-Partition-Master
- lolusuary/SOOTHE-2
- mostofakamaljoy/ccleaner
- rik0v/ManyCam
- Roccinhu/Tenorshare-Reiboot
- Roccinhu/Tenorshare-iCareFone
- True-Oblivion/AOMEI-Partition-Assistant
- vaibhavshiledar/droidkit
- vaibhavshiledar/TOON-BOOM-HARMONY
The RAR archive requires victims to enter a password mentioned in the README.md file, and it contains an installer file that unpacks the next-stage payload, a 699 MB executable file designed to evade analysis tools like IDA Pro.
The actual payload, which is only 3.43 MB in size, serves as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.
RisePro gained attention in late 2022 when it was distributed through a pay-per-install (PPI) malware downloader service called PrivateLoader.
Developed in C++, RisePro is intended to collect sensitive information from infected devices and send it to two Telegram channels used by threat actors for data extraction. Recent research by Checkmarx demonstrated that it’s possible to infiltrate and forward messages from an attacker’s bot to another Telegram account.
Splunk recently detailed the tactics of Snake Keylogger, describing it as a multifaceted stealer malware employing FTP for file transfer, SMTP for sending emails, and integration with Telegram for real-time communication.
Stealer malware, such as RedLine, Vidar, and Raccoon, have become popular vectors for ransomware and data breaches, with RedLine alone stealing over 170.3 million passwords in the last six months.
Flashpoint highlighted the evolving threat landscape of information-stealing malware in January 2024, noting that while these threats are primarily financially motivated, they are becoming more accessible and easier to use.
