Teacher
Professional
- Messages
- 2,670
- Reaction score
- 787
- Points
- 113
Almost two dozen GitHub repositories contained an artificially bloated RAR archive, which contained a small file with the RisePro malware. This malicious infostiler displayed stolen data in Telegram.
You won't find it cheaper
Experts from G DATA have identified almost two dozen repositories in GitHub, from which malware was distributed. The attackers behind the campaign passed off the contents of the repositories as hacked commercial software. In fact, trusting users downloaded an infostiler, a program designed to steal data called RisePro.
Among the commercial programs allegedly offered in a hacked form were, in particular, AVAST antivirus, FabFilter, an expensive but nevertheless popular package among musicians and sound engineers, as well as DaemonTools, CCleaner, EaseUS Partition Master, VueScan, and others. In total, experts counted 17 repositories associated with 11 users, each of which allegedly contained a separate commercial package.
Help file README.md it contained icons in the form of green circles added using Unicode. Usually in GitHub, these icons indicate the status of automatic builds; thus, attackers tried to give their repositories a legitimate look.
The repositories contain a RAR archive that is inflated to 699 MB to pass for a software package distribution; in fact, it contains only one 3.43 MB file-a loader that embeds malware into legitimate processes AppLaunch.exe or RegAsm.exe
Telegram as an intermediate link
RisePro was first spotted in late 2022, when it was distributed via the PrivateLoader cybercrime service.
Written in C++, RisePro collects meaningful system information and sends it to at least two private channels in Telegram. Recent research by Checkmarx also showed that it is possible to upload the collected information from the bot of intruders to other Telegram accounts.
RisePro is not the only malware that actively uses Telegram.
"In addition to RisePro, I think offhand of Masad Stealer, Zaraza Bot, ToxicEye - all of them somehow use Telegram's capabilities either for data output or for management," says Anastasia Melnikova, Director of Information Security at SEQ. According to her, any platforms with secure communications that allow you to remain anonymous are inevitably used by attackers to harm, but this is not a problem of the communication platforms themselves. "In the case of RisePro, the problem lies with fans of pirated software, who believe that GitHub is a good place for such searches, but in fact meet with unexpected consequences," Anastasia Melnikova summed up.
As noted in the publication of G DATA, the attackers themselves assigned the name GitGub to their campaign. All identified repositories with malware are currently closed by Microsoft.
You won't find it cheaper
Experts from G DATA have identified almost two dozen repositories in GitHub, from which malware was distributed. The attackers behind the campaign passed off the contents of the repositories as hacked commercial software. In fact, trusting users downloaded an infostiler, a program designed to steal data called RisePro.
Among the commercial programs allegedly offered in a hacked form were, in particular, AVAST antivirus, FabFilter, an expensive but nevertheless popular package among musicians and sound engineers, as well as DaemonTools, CCleaner, EaseUS Partition Master, VueScan, and others. In total, experts counted 17 repositories associated with 11 users, each of which allegedly contained a separate commercial package.
Help file README.md it contained icons in the form of green circles added using Unicode. Usually in GitHub, these icons indicate the status of automatic builds; thus, attackers tried to give their repositories a legitimate look.
The repositories contain a RAR archive that is inflated to 699 MB to pass for a software package distribution; in fact, it contains only one 3.43 MB file-a loader that embeds malware into legitimate processes AppLaunch.exe or RegAsm.exe
Telegram as an intermediate link
RisePro was first spotted in late 2022, when it was distributed via the PrivateLoader cybercrime service.
Written in C++, RisePro collects meaningful system information and sends it to at least two private channels in Telegram. Recent research by Checkmarx also showed that it is possible to upload the collected information from the bot of intruders to other Telegram accounts.
RisePro is not the only malware that actively uses Telegram.
"In addition to RisePro, I think offhand of Masad Stealer, Zaraza Bot, ToxicEye - all of them somehow use Telegram's capabilities either for data output or for management," says Anastasia Melnikova, Director of Information Security at SEQ. According to her, any platforms with secure communications that allow you to remain anonymous are inevitably used by attackers to harm, but this is not a problem of the communication platforms themselves. "In the case of RisePro, the problem lies with fans of pirated software, who believe that GitHub is a good place for such searches, but in fact meet with unexpected consequences," Anastasia Melnikova summed up.
As noted in the publication of G DATA, the attackers themselves assigned the name GitGub to their campaign. All identified repositories with malware are currently closed by Microsoft.
