Hackers Use Cracked Software on GitHub to Spread RisePro Info Stealer

Cybersecurity researchers have uncovered a concerning trend where hackers are utilizing cracked software distributed on GitHub to disseminate a potent information stealer called RisePro. The campaign, known as gitgub, was flagged by G DATA and involved 17 repositories linked to 11 different accounts. These repositories have since been removed by GitHub.

The repositories in question typically featured a README.md file promising free cracked software. To lend an air of legitimacy and recency, the threat actors added four green Unicode circles, mimicking the status indicators for automatic builds commonly seen on GitHub.

The malicious payload was hidden within a RAR archive, protected by a password mentioned in the README.md file. Once extracted, the installer file unpacks the next-stage payload, a 699 MB executable designed to evade analysis tools like IDA Pro. This executable then acts as a loader, injecting RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.

RisePro first gained attention in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader called PrivateLoader. The malware is written in C++ and is adept at gathering sensitive information from infected hosts, sending it to two Telegram channels typically used by threat actors. Recent research has even shown the potential for attackers to infiltrate and forward messages from their bots to other Telegram accounts.

This development comes on the heels of Splunk’s detailed analysis of Snake Keylogger, another potent stealer malware that uses a multifaceted approach to data exfiltration, including FTP for file transfer, SMTP for sending emails with stolen information, and integration with Telegram for real-time communication.

The rise of information-stealing malware is a growing concern, with stealers becoming the primary vector for ransomware and other high-impact data breaches. According to a recent report from Specops, RedLine, Vidar, and Raccoon are among the most widely-used stealers, with RedLine alone responsible for the theft of over 170.3 million passwords in the last six months.

The current surge in information-stealing malware underscores the ever-evolving nature of digital threats. While financial gain remains the primary motivation, stealers continue to adapt, becoming more accessible and easier to use.

To protect yourself from hackers using cracked software on GitHub to distribute malware, it’s crucial to only download software from trusted sources. Be wary of promises of free software and always verify the authenticity of the download links. Keep your software and operating system up to date with the latest security patches, and consider using reputable antivirus software to help detect and remove any potential threats.