Skip to content Skip to footer

GitHub Repositories Used to Distribute RisePro Information Stealer Uncovered

researchers have recently uncovered a disturbing information-stealing campaign dubbed “gitgub.” This malicious campaign uses several repositories to distribute a dangerous information stealer called RisePro. In total, 17 repositories were discovered, all linked to 11 different accounts, which has since taken down, 's parent company.

The repositories all appeared similarly and contained a README.md file that promised free cracked software. The perpetrators behind this campaign added four green Unicode circles to the files to mimic the status indicators commonly used on . This was done to give the repositories a sense of legitimacy and recent activity, making it easier to dupe unsuspecting victims into downloading the malicious content.

G DATA, a German company, was the first to detect this threat and has warned users to be cautious when downloading software from unknown sources. They advise users only to download software from reputable sources and be wary of any free software offers. It is essential to stay vigilant and take steps to protect your personal information from falling into the wrong hands.

The list of repositories involved in this campaign includes:

  • andreastanaj/AVAST
  • andreastanaj/Sound-Booster
  • aymenkort1990/fabfilter
  • BenWebsite/-IObit-Smart-Defrag-Crack
  • Faharnaqvi/VueScan-Crack
  • javisolis123/Voicemod
  • lolusuary/AOMEI-Backupper
  • lolusuary/Daemon-Tools
  • lolusuary/EaseUS-Partition-Master
  • lolusuary/SOOTHE-2
  • mostofakamaljoy/ccleaner
  • rik0v/ManyCam
  • Roccinhu/Tenorshare-Reiboot
  • Roccinhu/Tenorshare-iCareFone
  • True-Oblivion/AOMEI-Partition-Assistant
  • vaibhavshiledar/droidkit
  • vaibhavshiledar/TOON-BOOM-HARMONY

The text describes a recent threat that involved repositories containing a download link to a RAR archive file on “digitalxnetwork[.]com.” The archive file required a password, which was mentioned in the repository's README.md file. Inside the archive was an installer file that unpacked the next-stage payload, a 699 MB executable file designed to crash analysis tools like IDA Pro.

Upon further investigation, it was found that the file's actual contents were only 3.43 MB and that it acted as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe. RisePro is that first gained attention in late 2022 when it was distributed through a pay-per-install malware downloader service called PrivateLoader. Written in C++, it is designed to collect sensitive information from infected devices and send it to two Telegram channels, a popular platform cybercriminals use to extract victims' data.

Interestingly, recent research from Checkmarx has shown that it is possible to infiltrate and forward messages from an attacker's bot to another Telegram account. This discovery is particularly relevant as Splunk released a report detailing the tactics and techniques used by Snake Keylogger, a stealer malware that “uses a multifaceted approach to exfiltrate data.” According to Splunk, Snake Keylogger uses FTP to securely transfer files and SMTP to send emails containing sensitive information. It integrates with Telegram for real-time communication and immediate transmission of stolen data.

Stealer malware has become increasingly common, often serving as the primary vector for and other high-impact data breaches. A report from Specops published this week highlights the prevalence of stealer malware, including RedLine, Vidar, and others, and the need for increased measures to protect against these threats. With a touch of creativity, these researchers have breathed new life and artistry into the words, highlighting cybercrime's ever-evolving and dangerous landscape.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Denial is the most predictable of all human responsesThe Architect

Deitasoft © 2024. All Rights Reserved.