A new info-stealer malware called RisePro has been spotted on the illicit Russian forum in darkweb. The malware appears to be a clone of the Vidar stealer and is being sold as a log credential stealer on underground forums since December 13.
What’s the update?
According to Flashpoint researchers, the presence of RisePro stealer on Russian Market indicates its growing popularity within the existing threat landscape.
- Experts highlight that the malware may have been existing for over a year and was delivered via PrivateLoader Pay-Per-Install (PPI) service.
- The malware targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs.
- So far, the malware has exfiltrated over 2,000 logs that are put up for sale on the Russian underground marketplace.
Vidar and RisePro
The new RisePro includes many notable features that match with Vidar stealer. One of the key features noted by researchers is the use of dynamic link library (DLL) dependencies in RisePro and Vidar.
Other notable versions of Vidar in the past
While RisePro is the latest spin-off of Vidar, many iterations have been observed by researchers in the past.
- Oski was one of the first versions of Vidar infostealer that appeared in 2019. The malware was sold on Russian underground hacking forums at a price between $70 and $100.
- Later in 2020, the malware was modified and renamed Mars Stealer. The malware’s capabilities included stealing information from all renowned web browsers, various cryptocurrency wallets, and extensions.
- At that point in time, Mars Stealer was sold for a price between $140 and $160 on hacking forums.
Conclusion
Experts assess that the proliferation of Vidar clones is likely due to the malware being fully cracked and analyzed. Hence, organizations must stay updated on IoCs associated with RisePro and take necessary precautions to protect their data and other digital assets.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_232359814.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/40a2_shutterstock_2210502247.jpg)
