You might save a few dollars downloading pirated software, but you could also end up losing a lot more in the process, as researchers have discovered a cryptocurrency-targeting infostealer lurking among the cracks.
Two separate cybersecurity firms – Flashpoint and Sekoia, uncovered a brand-new information-stealing malware dubbed “RisePro”.
RisePro is being distributed through websites hosting pirated software, cracks, loaders, and similar illegal content, and infects endpoints through the PrivateLoader pay-per-install (PPI) malware distribution service.
Stealing crypto account details
According to the researchers, RisePro carries many similarities to PrivateLoader, prompting the researchers to conclude that the malware distribution platform now has its own infostealer. What’s more, they discovered that it was most likely built on Vidar as a foundation, as it uses the same system of embedded DLL dependencies.
RisePro hunts for data from an extensive list of browsers, browser extensions, and cryptocurrency wallets, including Google Chrome, Firefox (and 30 other browsers), Authenticator, MetaMask, and Coinbase (and 26 other browser extensions). Furthermore, it steals data from Discord, battle.net, Authy Desktop, and can scan filesystem folders for valuable data, for example holding credit card information.
According to Flashpoint, criminals have already started selling RisePro logs with sensitive, personally identifiable data, on Russian dark web markets. Threat actors interested in buying either the logs, or the tool itself, can do so via Telegram, by interacting with the threat actors’ Telegram bot.
The researchers describe PrivateLoader as a pay-per-install malware distribution service, often posing as a software crack, or a keygen. Up until today, PrivateLoader only distributed RedLine Stealer or Raccoon, both of which are very popular infostealers in the cybercrime community.
The best way to protect against such threats is to refrain from downloading illegal content to begin with, and only download software from legitimate, verified sources. A strong antivirus solution is also advised.
Via: BleepingComputer (opens in new tab)