Published on March 19th, 2024
Cybersecurity researchers have recently uncovered several GitHub repositories hosting illicitly cracked software, all part of a scheme to distribute an information stealer known as RisePro.
This operation, known internally as “gitgub,” encompasses 17 repositories linked to 11 separate accounts, as detailed by G DATA.
However, following the investigation, these repositories have been promptly removed by the subsidiary under Microsoft’s ownership.
Describing the discovery, the German cybersecurity firm stated, “The repositories share a common theme, each presenting a README.md file promising free access to cracked software.”
Gaining trust through familiarity, the gitgub threat actors strategically included four green Unicode circles in their README.md files.
These circles, resembling the typical markers for build statuses on GitHub, were accompanied by a current date, imparting a false sense of legitimacy and recent activity.”
Here is the list of repositories, each directing to a download link (“digitalxnetwork[.]com”) hosting a RAR archive file:
- vaibhavshiledar/droidkit
- vaibhavshiledar/TOON-BOOM-HARMONY
- True-Oblivion/AOMEI-Partition-Assistant
- Roccinhu/Tenorshare-Reiboot
- Roccinhu/Tenorshare-iCareFone
- rik0v/ManyCam
- mostofakamaljoy/ccleaner
- lolusuary/AOMEI-Backupper
- lolusuary/Daemon-Tools
- lolusuary/EaseUS-Partition-Master
- lolusuary/SOOTHE-2
- javisolis123/Voicemod
- Faharnaqvi/VueScan-Crack
- BenWebsite/-IObit-Smart-Defrag-Crack
- aymenkort1990/fabfilter
- andreastanaj/AVAST
- andreastanaj/Sound-Booster
You May Also Like: Mitigating Account Takeover Risks With ChatGPT Plugins
The RAR archive, requiring victims to input a password disclosed in the repository’s README.md file, contains an installer.
This installer, upon execution, unpacks the subsequent payload: an executable file deliberately inflated to 699 MB. This size inflation aims to overwhelm analysis tools such as IDA Pro.
Within this file, the actual payload occupies a mere 3.43 MB. This payload serves as a loader, injecting RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.
RisePro first gained notoriety in late 2022 through its distribution via a pay-per-install (PPI) malware downloader service dubbed PrivateLoader.
Crafted in C++, this software is engineered to harvest sensitive data from compromised systems and send it to two Telegram channels commonly utilized by threat actors for data extraction.
Interestingly, recent findings by Checkmarx demonstrated the potential to infiltrate and redirect messages from an attacker’s bot to another Telegram account.
This revelation coincides with Splunk’s detailed analysis of Snake Keylogger’s tactics and techniques, characterizing it as a multifaceted data-stealing malware. “Snake Keylogger utilizes a variety of methods for data exfiltration,” Splunk explained.
“FTP ensures secure file transfers, while SMTP enables the transmission of emails containing sensitive data.
Moreover, integration with Telegram provides a real-time communication channel for immediate sharing of stolen information.”
The rise of data-stealing malware, known as “stealers,” has gained significant traction, often serving as the primary infiltration method for ransomware and other impactful data breaches.
A recent report by Specops highlights RedLine, Vidar, and Raccoon as the most prevalent stealers, with RedLine alone responsible for the compromise of over 170.3 million passwords in the last six months.
“The surge in information-stealing malware underlines the ever-evolving landscape of digital threats,” noted Flashpoint in January 2024.
“While the primary motivation behind their use remains financial gain, these stealers continue to evolve, becoming more accessible and user-friendly.”
