PrivateLoader as a RiseProStealer Dropper Technical Analysis

This blog post comes from the “Cylance Ransomware Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.

Summary

The realm of cybersecurity is perpetually challenged by the evolution and sophistication of cyber threats, among which the Pay-Per-Install (PPI) malware services stand as a significant and enduring component. These services, deeply entrenched in the cybercrime ecosystem, have streamlined the monetization of malicious software installations, posing a persistent threat to digital security. This report delves into the intricate workings of such a service, with a particular focus on the technical analysis of PrivateLoader, a notable player in this nefarious field.

Pay-Per-Install services operate on a simple yet effective business model: a malware operator provides the service operator with a payload, a specified number of installations, and targeted geographical locations. The service operators, in turn, are tasked with the distribution of the malware, adhering to the customer’s specifications. This transactional nature of malware distribution not only simplifies the process for

cybercriminals but also broadens the reach and impact of their malicious activities. The moderate costs and ease of access to these services have enabled malware operators to utilize them as a potent tool for widespread, targeted, and rapid deployment of various malware types.

This report aims to provide a comprehensive technical analysis of PrivateLoader, exploring its operational mechanisms, distribution strategies, and the broader implications of its activities within the cybercrime ecosystem. By dissecting this malware, we seek to offer valuable insights into its functionality, thereby contributing to the development of more effective cybersecurity measures against such advanced threats.

While PrivateLoader is the starting point for the distribution of many types of malware, there has recently been an increase in the distribution of the RiseProStealer malware, which was developed for information theft. For this reason, the report we have prepared includes an in-depth technical analysis of the RiseProStealer malware, which is the final payload intended to be dropped on the target system, together with the PrivateLoader used as a dropper.

In the ever-evolving landscape of cyber threats, the emergence of the RisePro Stealer malware marks a significant milestone in the sophistication and capabilities of malicious software targeting digital assets and personal information. RisePro Stealer, identified in 2022, has rapidly gained notoriety for its advanced mechanisms and effectiveness in infiltrating systems and exfiltrating sensitive data. Its emergence is a testament to the continuous innovation among cybercriminals and the escalating challenges faced by cybersecurity professionals.

Scope

Fingerprints for RiseProStealer

File Name: lghub.exe
Filetype: Win32 EXE
Written Language: C/C++
MD5: eecb6554f3343358c9b75aba4d50910d
SHA-1: b643a211f03f00a28c5a72e58c0c6c089f734058
SHA256: 46fdd9e0c1cde9c5efa8b263797cff2f61635e8a41548196ad9c1ffff4c1d8d3
First Seen / Detection Date: 2023-12-18
Initial Infection Vector: Loader

Fingerprints for PrivateLoader

File Name: officetrackernmp131.exe
Filetype: Win32 EXE
Written Language: C/C++
MD5: 60fefcb3ce29079a7f5a1a3959d7b5b6
SHA-1: ff39a7624053aa2ce3c78df74a8b57ace58e5a2a
SHA256: ace7ca832d45a6cb041203ccc4d5129ce31df4979a63a26116b7dda0e47aa953
First Seen / Detection Date: 2023-12-18
Initial Infection Vector: Cracked Software

Infection Chain

Figure 1: Memory allocation for shell code

Mitigation Strategies

  • Keep all software, including operating systems and applications, up-to-date with the latest patches.
  • Use web filters to block access to malicious websites.
  • Consider using ad blockers to prevent malvertising attacks.
  • Implement robust spam filters to prevent phishing emails from reaching users.
  • Scan email attachments for malware before they can be opened.
  • Train users to recognize and report suspicious emails.
  • Use both hardware and software firewalls to monitor and control incoming and outgoing network traffic.
  • Ensure that your antivirus software provides real-time scanning and threat detection.

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “Mystic Stealer Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.