On December 19th, researchers from Flashpoint released a blog detailing a new “pay-per-install” service provided by threat actors deploying RisePro infostealer. RisePro shows significant similarity to Vidar stealer—enough so that it is likely to be a clone. The stealer works by identifying potentially valuable information and exfiltrating it as logs. The threat actor receiving the logs then uploads them to “log shops,” where the information can be sold. As of the report, over 2000 such logs were being sold since 12 December, tagged as “risepro” for a source. Analysis of the malware shows that it’s highly likely to have been written in C++, and additionally drops a Dynamically Linked Library (DLL) as part of the attack chain — one that is known to be used by Vidar.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.