“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader”


Key takeaways

  • “RisePro” is a stealer malware that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022. 
  • RisePro’s presence on Russian Market may indicate its growing popularity within the threat actor community. 
  • Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year. 
  • The appearance of the stealer as a payload for a pay-per-install service may indicate a threat actor’s confidence in the stealer’s abilities.
  • RisePro appears to be a clone of the stealer malware “Vidar.”

RisePro logs on Russian Market

“RisePro” is a newly identified stealer written in C++ that appears to possess similar functionality to the stealer malware “Vidar.” RisePro targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs. 

Flashpoint first identified RisePro on December 13, 2022 after analysts identified several sets of logs uploaded to the illicit underground market Russian Market, which listed their source as “risepro.” 
Russian Market is a log shop similar to other log markets, such as Genesis, in which threat actors can upload and sell logs collected from stealers. At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.

RisePro stealer logs appear on Russian Market. The earliest recorded upload of logs using RisePro occurred on December 12, 2022. (Source: Flashpoint)

We have identified malicious samples that appear to be related to RisePro based on identifying strings in the samples. During investigations of open source intelligence, such as open source sandbox analyses from other security researchers, our analysts identified several samples of RisePro that were dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader.” 

PrivateLoader allows threat actors to buy the ability to have it download malicious payloads onto infected systems. Pay-per-install services are not a novel business model for threat actors operating botnets. Flashpoint analysts…

Source…