On December 19th, researchers from Flashpoint released a blog detailing a new “pay-per-install” service provided by threat actors deploying RisePro infostealer. RisePro shows significant similarity to Vidar stealer—enough so that it is likely to be a clone. The stealer works by identifying potentially valuable information and exfiltrating it as logs. The threat actor receiving the logs then uploads them to “log shops,” where the information can be sold. As of the report, over 2000 such logs were being sold since 12 December, tagged as “risepro” for a source. Analysis of the malware shows that it’s highly likely to have been written in C++, and additionally drops a Dynamically Linked Library (DLL) as part of the attack chain — one that is known to be used by Vidar.
Pay-per-install services aren’t new, but their presence usually indicates a reasonable degree of confidence by the service provider that their malware will provide the desired end state to their client. Primarily, companies should keep any Detection and Response systems (EDR/MDR/XDR/etc.) and Anti-Virus (AV) up-to-date to identify the latest detected malware campaigns. Additionally, netflow analysis and DNS monitoring can help detect command and control (C2) and data exfiltration, which requires an understanding of baseline user behavior to establish useful comparisons.