Cybersecurity researchers have discovered a number of GitHub repositories offering cracked software used to distribute an information stealer called RisePro.
Campaign called by code name git gabAccording to G DATA, this includes 17 repositories associated with 11 different accounts. The repository in question has since been removed by a Microsoft-owned subsidiary.
“These repositories are similar and contain README.md files that promise free cracked software,” the German cybersecurity firm said.
“Green and red circles are commonly used on Github to display the status of automated builds. Threat actors on Gitgub display the status with the current date, providing a sense of legitimacy and recency. Added four green Unicode circles to README.md that pretend to
Here is the list of repositories: Each repository has a download link (points to “digitalxnetwork”)[.]com”) includes RAR archive files –
- Andrea Stanagy/AVAST
- Andrea Starnagy/Sound Booster
- Imen coat 1990/fabfilter
- BenWebsite/-IObit-Smart-Defrag-Crack
- Faharnaqvi/VueScan-Crack
- javisolis123/Voicemod
- lolusuary/AOMEI-Backupper
- lolusuary/demon tools
- lolusuary/EaseUS-Partition-Master
- Lorsurely/SOOTHE-2
- Most Fakamarjoy/Cleaner
- rik0v/manycam
- Rossinf/Tenor Share Live Boot
- Roccinhu/Tenorshare-iCareFone
- True-Oblivion/AOMEI-Partition-Assistant
- Vaibhav Shiredar/Droid Kit
- Vaibhavshireda/Toon Boom Harmony
RAR archives require victims to enter the password provided in the repository's README.md file. This archive contains an installer file that unpacks the next stage payload. This executable grows to 699 MB to crash analysis tools such as: Aida Pro.
The actual contents of the file (only 3.43 MB) act as a loader that injects RisePro (version 1.6) into AppLaunch.exe or RegAsm.exe.
RisePro burst into the limelight in late 2022, distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader.
The tool, written in C++, is designed to collect sensitive information from infected hosts and exfiltrate it to two Telegram channels, and is commonly used by threat actors to extract victims' data. Masu. Interestingly, a recent study by Checkmarx showed that it was possible to hack into the attacker's bot and forward messages to another girlfriend's Telegram account.
The development comes as Splunk detailed the tactics and techniques employed by Snake Keylogger, describing it as a stealing malware that “takes a multi-pronged approach to data theft.”
“FTP facilitates the secure transfer of files, and SMTP enables the sending of emails containing sensitive information,” Splunk said. “Furthermore, the integration with Telegram provides a real-time communication platform, allowing for the instant transmission of stolen data.”
Stealer malware is becoming increasingly popular and is often the primary vector for ransomware and other high-impact data breaches. According to his Specops report published this week, RedLine, Vidar and Raccoon have emerged as the most widely used thieves, with RedLine alone accounting for more than 170.3 million passwords in the past six months. was stolen.
Flashpoint wrote in January 2024, “The current proliferation of information-stealing malware is a stark reminder of ever-evolving digital threats. Although the motivation behind their use is almost always rooted in financial gain, Thieves are becoming more accessible and continually adapting.” Now easier to use. ”
