Pierluigi Paganini March 17, 2024

Cybersecurity researchers discovered multiple GitHub repositories hosting cracked software that are used to drop the RisePro info-stealer.

G-Data researchers found at least 13 such Github repositories hosting cracked software designed to deliver the RisePro info-stealer. The experts noticed that this campaign was named “gitgub” by its operators.

The researchers started the investigation following Arstechnica’s story about malicious Github repositories. The experts created a threat-hunting tool that allowed them to identify the repositories involved in this campaign. The researchers noticed that all the repositories were newly created repos leading to the same download link.

“We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. Green and red circles are commonly used on Github to display the status of automatic builds.” reads the report published by G-Data. “Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency.” 

Below is the list of Github repositories used in this campaign, which were already taken down by Github:

• andreastanaj/AVAST
• andreastanaj/Sound-Booster 
• aymenkort1990/fabfilter 
• BenWebsite/-IObit-Smart-Defrag-Crack 
• Faharnaqvi/VueScan-Crack 
• javisolis123/Voicemod  
• lolusuary/AOMEI-Backupper 
• lolusuary/Daemon-Tools 
• lolusuary/EaseUS-Partition-Master 
• lolusuary/SOOTHE-2 
• mostofakamaljoy/ccleaner 
• rik0v/ManyCam 
• Roccinhu/Tenorshare-Reiboot 
• Roccinhu/Tenorshare-iCareFone 
• True-Oblivion/AOMEI-Partition-Assistant 
• vaibhavshiledar/droidkit 
• vaibhavshiledar/TOON-BOOM-HARMONY  

All the repositories used the same download link: 

hxxps://digitalxnetwork[.]com/INSTALLER%20PA$$WORD%20GIT1HUB1FREE.rar.

The researchers noticed that the users must unpack several layers of archives using the password “GIT1HUB1FREE,” which is provided in the README.md file, to access the installer named “Installer_Mega_v0.7.4t.msi.” 

Threat actors used this MSI installer to unpack the next stage using the password “LBjWCsXKUz1Gwhg”. The resulting file is named Installer-Ultimate_v4.3e.9b.exe.

The binary has a size of 699 MB, which causes IDA and ResourceHacker to crash.

The analysis of the content used to inflate the file allowed the researcher to determine its actual size of 3.43 MB. The file is utilized as a loader for the RisePro info-stealer (version 1.6).

Upon executing the loader, it connects to hxxp://176.113.115(dot)227:56385/31522 and injects its payload into either AppLaunch.exe or RegAsm.exe.

RisePro is a C++ info-stealer that has been active since at least 2022, it allows to gathering sensitive data from the infected system. The malware exfiltrates gathered data to two Telegram channels.

“The malware collects a variety of valuable information. All unique passwords are stored in a file named “brute.txt”. In the file “password.txt” we discovered a big RISEPRO banner and the link to the public Telegram channel.” concludes the report that also provides indicators of compromise for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RisePro info-stealer)