Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

“gitgub” malware campaign targets Github users with RisePro info-stealer

Cybersecurity researchers discovered multiple GitHub repositories hosting cracked software that are used to drop the RisePro info-stealer. G-Data researchers found at least 13 such Github repositories hosting cracked software designed to deliver the RisePro info-stealer. The experts noticed that this campaign was named “gitgub” by its operators. The researchers started the investigation following Arstechnica’s story about […]

RisePro info-stealer

Cybersecurity researchers discovered multiple GitHub repositories hosting cracked software that are used to drop the RisePro info-stealer.

G-Data researchers found at least 13 such Github repositories hosting cracked software designed to deliver the RisePro info-stealer. The experts noticed that this campaign was named “gitgub” by its operators.

The researchers started the investigation following Arstechnica’s story about malicious Github repositories. The experts created a threat-hunting tool that allowed them to identify the repositories involved in this campaign. The researchers noticed that all the repositories were newly created repos leading to the same download link.

“We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. Green and red circles are commonly used on Github to display the status of automatic builds.” reads the report published by G-Data. “Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency.” 

RisePro info-stealer

Below is the list of Github repositories used in this campaign, which were already taken down by Github:

  • andreastanaj/AVAST
  • andreastanaj/Sound-Booster 
  • aymenkort1990/fabfilter 
  • BenWebsite/-IObit-Smart-Defrag-Crack 
  • Faharnaqvi/VueScan-Crack 
  • javisolis123/Voicemod  
  • lolusuary/AOMEI-Backupper 
  • lolusuary/Daemon-Tools 
  • lolusuary/EaseUS-Partition-Master 
  • lolusuary/SOOTHE-2 
  • mostofakamaljoy/ccleaner 
  • rik0v/ManyCam 
  • Roccinhu/Tenorshare-Reiboot 
  • Roccinhu/Tenorshare-iCareFone 
  • True-Oblivion/AOMEI-Partition-Assistant 
  • vaibhavshiledar/droidkit 
  • vaibhavshiledar/TOON-BOOM-HARMONY  

All the repositories used the same download link: 

hxxps://digitalxnetwork[.]com/INSTALLER%20PA$$WORD%20GIT1HUB1FREE.rar.

The researchers noticed that the users must unpack several layers of archives using the password “GIT1HUB1FREE,” which is provided in the README.md file, to access the installer named “Installer_Mega_v0.7.4t.msi.” 

Threat actors used this MSI installer to unpack the next stage using the password “LBjWCsXKUz1Gwhg”. The resulting file is named Installer-Ultimate_v4.3e.9b.exe.

The binary has a size of 699 MB, which causes IDA and ResourceHacker to crash.

The analysis of the content used to inflate the file allowed the researcher to determine its actual size of 3.43 MB. The file is utilized as a loader for the RisePro info-stealer (version 1.6).

Upon executing the loader, it connects to hxxp://176.113.115(dot)227:56385/31522 and injects its payload into either AppLaunch.exe or RegAsm.exe.

RisePro is a C++ info-stealer that has been active since at least 2022, it allows to gathering sensitive data from the infected system. The malware exfiltrates gathered data to two Telegram channels.

“The malware collects a variety of valuable information. All unique passwords are stored in a file named “brute.txt”. In the file “password.txt” we discovered a big RISEPRO banner and the link to the public Telegram channel.” concludes the report that also provides indicators of compromise for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RisePro info-stealer)