IntroductionIn October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader. RiseLoader’s emergence is interesting, as the threat actor selling RisePro announced in June 2024 on Telegram that its development was discontinued. Based on these factors, ThreatLabz assesses with moderate confidence that the threat group behind RisePro and PrivateLoader is also behind RiseLoader.In this blog, we explore RiseLoader’s TCP-based binary protocol, and highlight the similarities between RiseLoader and RisePro.Key TakeawaysRiseLoader is a new malware loader family that was first observed in October 2024.The malware implements a custom TCP-based binary network protocol that is similar to RisePro.Many RiseLoader samples have used VMProtect to obfuscate the malware’s code.RiseLoader has been observed dropping malware families including Vidar, Lumma Stealer, XMRig, and Socks5Systemz similar to those distributed by PrivateLoader.RiseLoader collects information about installed applications and browser extensions related to cryptocurrency.Technical AnalysisThe following sections describe some of the features in RiseLoader. Anti-analysis techniquesMost of the RiseLoader samples analyzed by ThreaLabz are packed with VMProtect. In addition, the malware obfuscates important strings. For example, all RiseLoader samples included the following strings related to malware analysis and debugging:ollydbg.exeprocesshacker.exetcpview.exefilemon.exeprocmon.exeregmon.exeprocexp.exeida.exeida64.exebinaryninja.exeimmunitydebugger.exewireshark.exedumpcap.exehookexplorer.exeimportrec.exepetools.exelordpe.exesysinspector.exeproc_analyzer.exesysanalyzer.exesniff_hit.exewindbg.exejoeboxcontrol.exejoeboxserver.exeapimonitor.exeapimonitor-x86.exeapimonitor-x64.exex32dbg.exex64dbg.exex96dbg.execheatengine.exescylla.execharles.execheatengine-x86_64.exereclass.net.exeThese strings are defined in a global array, but are not used during execution. This may indicate that anti-analysis features are currently in development and will potentially be implemented in future versions.Note that RiseLoader does not currently use stack-based string obfuscation, which is present in RisePro and PrivateLoader.Behavioral analysisThe malware starts by creating a mutex using hardcoded strings for the name. The mutex name will be a combination of three strings such as: winrar8PROMEMEKGAmaV3_2_8. The mutex is formed from a prefix (winrar8), a campaign_id value (PROMEMEKG), and a hardcoded suffix (AmaV3_2_8). If the mutex exists, RiseLoader will terminate. Samples analyzed by ThreatLabz have lacked a persistence mechanism, although this may be a configurable parameter (similar to other malware loaders).Next, RiseLoader randomly selects a C2 server from a hardcoded list and opens a TCP connection. This process is repeated up to 10 times until a connection is established. If unsuccessful, RiseLoader terminates. Upon successful communication with the C2 server, a new thread is launched to continuously check for commands, process them, and send system information as requested. Additionally, another thread handles the PAYLOADS data from the C2 server, creating a randomly generated folder in the user’s temporary directory to process each payload. This thread also creates an infection marker by creating a registry key under certain conditions and prepares the arguments and delays for each payload.Finally, a new thread is created to download and execute each payload from URLs provided by the C2 server using libcurl. DLL files are launched with rundll32, while executables are started by creating a new process. After all payloads are downloaded and executed, RiseLoader terminates.Network communicationAfter establishing the TCP three-way handshake with the C2 server, RiseLoader expects the server to respond with a message containing XOR keys used for subsequent communications. If the server does not send this message within a 10-second timeout, the malware will attempt to “wake up” the server by sending a KEEPALIVE message. If the server is online, it will respond with a KEEPALIVE_RES message, and the malware will reset its timeout. If the server does not respond, the malware will either attempt to reconnect or close the connection, and call ExitProcess after 10 failed attempts.After receiving the XOR keys, the malware sends a campaign_id and other information to the server, then waits for the PAYLOADS command. The server can close the connection at any time without notifying the client. Additionally, a SEND_SHUTDOWN command will immediately terminate the malware. The server periodically sends KEEPALIVE messages to ensure continuous communication. If the PAYLOADS command is received, RiseLoader processes the packet and sends either an SL_TASKS_EXECUTED or PL_TASKS_EXECUTED message with the task information. Once the task commands are received, the server closes the connection. The message types exchanged in both directions share a common structure, as defined below:struct message {
uint32_t magic_bytes; // Hardcoded to 0x00020001
uint32_t data_size;
uint32_t message_type;
byte data[data_size];
}The magic_bytes field may represent a protocol version (i.e., version 1.0.2.0 in little endian byte format), although it is too early to determine the value’s exact meaning since this malware family is new.Not all messages contain data; for these, the data_size will be zero. For messages that contain data, the structure varies. Some messages use a UTF-8 encoded JSON string, while others, like the SET_XORKEYS and SEND_ID message types, use a byte structure.Throughout the communication process, the data field will be encoded using one of the XOR keys defined by the C2 server in the SET_XORKEYS message. The RiseLoader message types are shown in the following table:Message TypeMessage ValueDescription and PayloadSourceSEND_VICTIM_INFO0x2BSends information related to cryptocurrency websites, wallets, and web browser extensions.Sent by the client.SYS_INFO0x2FSends information related to the victim’s machine in a JSON format:ap: Unused.bn: Windows build number. mi: Minor version.mj: Major version. c1: Indicates if WoW64 process is present.tp: Indicates if this is a workstation.Sent by the client.SEND_ID_NEW_VICTIM0x16C64Sends the campaign_id after checking that there is no former infection.Sent by the client.SEND_ID0x16C63Sends the campaign_id if RiseLoader previously executed payloads on the victim’s system.Sent by the client.SL_FL_TASKS_EXECUTED0x23E9Sends a list of task IDs, which were downloaded and executed successfully. This message type is used only for the payload URLs that were included in the JSON keys sl and fl.Sent by the client.PL_TASKS_EXECUTED0x0b2f09Sends a list of task IDs, which were downloaded and executed successfully. This message type is used for the payload URLs that were included in the JSON key pl.Sent by the client.SET_XORKEYS0xB6The C2 server provides encryption keys that are used for subsequent messages.The first byte encodes message payloads from the infected system and the second byte decodes message payloads coming from the C2 server.Sent by the server.CHANGE_ID0x20C9The C2 server sends a new campaign_id to the victim.Sent by the server.SEND_SHUTDOWN0x1CCDTerminates execution.Sent by the server.FORCE_REPORT_SL_FL0x9C04Forces sending a SL_FL_TASKS_EXECUTED command while executing pl tasks.Sent by the server.PAYLOADS0x4DCFThe C2 server sends a structure with several payloads to download and execute on the victim’s system in a JSON format.There are three different arrays for payloads: pl, fl, and sl, each containing a similar structure where:pl: Task ID.u: URL of the payload.ag: The arguments when launching the payload.d: The delay of the download.f: The filename payload on the victim’s system.In addition, the so parameter will instruct the sample to set an infection marker by creating a registry key, while sp will specify the delay in milliseconds between the execution of fl and sl payloads. The final parameter, lo, will contain a URL of an image that is potentially used for tracking purposes.Sent by the server.KEEPALIVE0x6B5Requests a response from KEEPALIVE_RES.Sent by both the client and the server.KEEPALIVE_RES0x4B7CThe response to the KEEPALIVE message.Sent by both the client and the server.Table 1: RiseLoader message types exchanged between the client and the server.The figure below shows a high-level view of RiseLoader’s network communication protocol.Figure 1: RiseLoader network communication protocol.Network communication starts with the server sending a SET_XORKEYS message that contains two 1-byte XOR keys: the first for encrypting messages from the client, and the second for decrypting messages received from the server. After establishing the encryption keys for the session, the client sends either a SEND_ID_NEW_VICTIM or SEND_ID message. RiseLoader will determine which of these messages to use based on the existence of a specific registry key (HKEY_CURRENT_USER\SOFTWARE\dmdsaodgmarksmdkgsa). Immediately after sending the campaign_id to the C2 server, RiseLoader will scan the victim’s file system to gather information about cryptocurrency wallets, extensions, and specific programs (shown in the Appendix). This information will be sent to the server using the SEND_VICTIM_INFO message type, followed by a SYS_INFO packet. Once the system information is sent, the server will maintain the connection by exchanging KEEPALIVE and KEEPALIVE_RES messages with RiseLoader.RiseLoader waits for a PAYLOADS command containing a JSON encoded structure with payload URLs to download and execute on the victim’s system. The malware will then send SL_FL_TASKS_EXECUTED and PL_TASKS_EXECUTED messages to report the tasks that were executed.During the processing phase for payloads, RiseLoader may create a registry key depending on the value specified by the so field in the PAYLOADS data structure or when receiving the FORCE_REPORT_SL_FL command from the C2 server. This registry key appears to serve as an infection marker and is located at HKEY_CURRENT_USER\SOFTWARE\dmdsaodgmarksmdkgsa. Under this key the registry name var1 is created with a hardcoded value set to 0x00b2. The actual value is not relevant for execution, as RiseLoader only checks for the presence of the registry key when choosing to send either SEND_ID or SEND_ID_NEW_VICTIM messages.After processing all payloads, RiseLoader downloads a resource from a URL specified in the lo parameter of the PAYLOADS structure. Currently, this URL resolves to a 1×1 pixel PNG file, likely serving as a tracking method since the PNG file has no clear purpose in the malware code. After downloading and executing the payloads and downloading the URL from the lo parameter, RiseLoader will terminate its execution.Comparison of the RiseLoader and RisePro communication protocolsThe similarities between RiseLoader and RisePro are described below: Both use a custom binary TCP-based protocol with encoded JSON messages encrypted by a single byte key.The message structure is very similar: magic bytes, followed by a 4-byte payload size, and a 4-byte command type as shown in the figure below.Figure 2: A comparison of RiseLoader’s C2 handshake and RisePro’s handshake, showing a similar structure. The initialization process is similar; however, RiseLoader has been simplified.ConclusionThe security research community has tentatively linked RiseLoader to PrivateLoader, which is also developed by the same threat actor behind RisePro. This may be due to behavioral similarities, since both have been dropping similar malware families. However, RiseLoader has a distinct communication protocol that is far more similar to RisePro than PrivateLoader.RiseLoader and RisePro share several similarities in their network communication protocols, including message structure, the initialization process, and payload structure. These overlaps may indicate that the same threat actor is behind both malware families. RiseLoader appears to still be in development with potential upcoming features for information stealing and anti-analysis.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to the new variant of RisePro at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for RiseLoader.Figure 3: Zscaler sandbox report for RiseLoader.Indicators Of Compromise (IOCs)e4cbf31ac0aacb712219b080af8ccbc11899cc1e7a695077b61df5317ffc3a1dPacked sample SHA256 (RiseLoader)3834d3be235ebc488832a35dbd98d301c33281f9062a2cb16a681b77b3480044Packed sample SHA256 (RiseLoader)5731851703e6ca1dd31c4ba3455a4e961621aab904d53ff5d747f811d3dee1b0Packed sample SHA256 (RiseLoader)b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2 Packed sample SHA256 (RiseLoader)eccf6b8a45f044951712b08013fcb020bff95e7c784164464afcf5e6adba1fdbPacked sample SHA256 (RiseLoader)0c26d498ccd4d7aea16e4b6e7e647fe4e16b89f67e18a8eacb4b0965fce2f381Packed sample SHA256 (RiseLoader)65a060f8606f2213f1480ea132d519590f2736d8e1f53edb33fdfb27b3c9d869Packed sample SHA256 (RiseLoader)c0cdd15f9913c6e88d7e124cbcba7ea981f12a856f473d0e96a94d8835d9ecf3Dropped payload SHA256 (StealC)86c4e141ec49a5bb2646d39efec6207f01f9f9cfdff552715fcef860ec7d0b2dDropped payload SHA256 (Lumma Stealer)4635a9149c53a2fbc072ceb338351d3b149e093cd43163e01d629bb016f8cd7cDropped payload SHA256 (XMRig)54bc5a6ed4cca0770ced899f55b18a9e4d7ba7c6b0136f3291c43a5112ef0800Dropped payload SHA256 (Vidar)7b2f904ede2ef17c8b9cda1433ffab97b5f7098ee33664a8362beaa1479e1baaDropped payload SHA2560df41caa968a517a454a6f36528c572af685f1ab62f792760e3a4d8e9de40461Dropped payload SHA256 (StealC)bfe368b6b3729f8dfee1531e43cd41a787c554e3090645dd66f9785be96ccff4Dropped payload SHA256f06e0e417bca037bfa2150451bb6a4e38aa9db104c29167c1f642dc2ca60abfcDropped payload SHA256 (Vidar)1bda055af670cb8e8f37d4860197b58cea1464c16dfaa31fadf42a9eedee8b25Dropped payload SHA256 (Socks5Systemz)c04f64f0b5cbd336ad8b5dcf40727f50dba7534d66df1998110f38af533b45b3Dropped payload SHA256 (Vidar)c0cdd15f9913c6e88d7e124cbcba7ea981f12a856f473d0e96a94d8835d9ecf3Dropped payload SHA256 (StealC)ced59ab566ffe8b3274d7bba452a3b93341411c2c1cc23f2577a767ac846591aDropped payload SHA256 (XMRig) 41.216.183[.]36:3306RiseLoader C2185.209.21[.]88:3306RiseLoader C2147.45.44[.]166:3306RiseLoader C2AppendixCryptocurrency websites targeted by RiseLoadersorare.comyobit.netzb.combinance.comhuobi.comokex.comhitbtc.combitfinex.comkraken.combitstamp.netpayoneer.combittrex.combittrex.zendesk.comgate.ioexmo.comyobit.iobitflyer.compoloniex.comkucoin.comcoinone.co.krlocalbitcoins.comkorbit.co.krcex.ioluno.combitkonan.comjubi.comkoinex.inkoineks.comkuna.iokoinim.comkiwi-coin.comleoxchange.comlykke.comlocaltrade.ccmagnr.comlbank.infoitbit.comgemini.comgdax.comgatehub.netsatoshitango.comfoxbit.com.brflowbtc.com.brexx.comexrates.meexcambriorex.comezbtc.cainfinitycoin.exchangetdax.comstex.comvbtc.exchangecoinmarketcap.comvwlpro.comnocks.comnlexch.comnovaexchange.commynxt.infonzbcx.comnevbit.commixcoins.commr.exchangeneraex.prodsx.ukokcoin.comliquid.comquoine.comquadrigacx.comrightbtc.comrippex.netripplefox.comqryptos.comore.bzopenledger.infoomnidex.ioparibu.compaymium.comdcexchange.rudcexe.combitmex.comfunpay.rubitmaszyna.plbitonic.nlbitpanda.combitsblockchain.netbitmarket.netbitlish.combitfex.tradeblockchain.comblockchain.infocryptofresh.combtcmarkets.netbraziliex.combtc-trade.com.uabtc-alpha.combitspark.iobitso.combittylicious.comaltcointrader.co.zaarenabitcoin.comallcoin.com796.comabucoins.comaidosmarket.combitcointrade.combitcointoyou.combitbanktrade.jpbig.onebcex.cabitconnect.cocoinsbank.comcoinsecure.incoinsquare.comcoinspot.iocoinsmarkets.comcrypto-bridge.orgdcex.comdabtc.comdecentrex.comderibit.comdgtmarket.combtcturk.combtcxindia.combt.cxbitstarcoin.combitstarcoin.comcoincheck.comcoinmate.iocoingi.comcoinnest.co.krcoinrail.co.krcoinpit.iocoingather.comcoinfloor.co.ukcoinegg.comcoincorner.comcoinexchange.iopancakeswap.financecoinbase.comlivecoin.netmercatox.comcryptobridge.freshdesk.comvolabit.comtradeogre.combitkub.comuphold.comwallet.uphold.comlogin.blockchain.comtidex.comcoinome.comcoinpayments.netbitmax.iobitbank.ccindependentreserve.combitmart.comcryptopia.co.nzcryptonator.comvolet.commy.dogechain.infospectrocoin.comexir.ioexir.techcoinbene.combitforex.comgopax.co.krcatex.iovindax.comcoineal.commaicoin.comfinexbox.cometherflyer.combx.in.thbitopro.comcitex.co.krcoinzo.comatomars.comcoinfinit.combitker.comdobitrade.combtcexa.comsatowallet.comcpdax.comtrade.iobtcnext.ioexmarkets.combtc-exchange.comchaoex.comjex.comtherocktrading.comgdac.comsouthxchange.comtokens.netfexpro.netbtcbox.co.jpcoinmex.comcryptology.comcointiger.comcashierest.comcoinbit.co.krmxc.combilaxy.comcoinall.comcoindeal.comomgfin.comoceanex.probithumb.comftx.comshortex.netcoin.z.comfcoin.comfatbtc.comtokenize.exchangesimex.globalinstantbitex.com Cryptocurrency wallet software targeted by RiseLoaderatomicatomic walletcom.liberty.jaxxelectrumexodusmultidogemonerobinance.chainbinanceMetamaskCryptocurrency wallet browser extensions targeted by RiseLoadernkbihfbeogaeaoehlefnkodbefgpgknnejbalbakoplchlghecdalmeeeajnimhmibnejdfjmmkpcnlpebklmnkoeoihofecfhbohimaelbohpjbbldcngcnapndodjp fnjhmkhhmkbjkkabndcnnogagogbneec bfnaelmomeimhlpmgjnjophhpkkoljpafhilaheimglignddkjgofkcbgekhenbhmgffkfbidihjpoaomajlbgchddlicgpn aodkkagnadcbobfpggfnjeongemjbjcakpfopkelmapcoipemfendmdcghnegimnfmblappgoiilbgafhjklehhfifbdoceehmeobnfnfcmdkdcmlblgagmfpfboieaflpfcbjknijpeeillifnkikgncikgfhdodngmlblcodfobpdpecaadgfbcggfjfnmaholpfdialjgjfhomihkjbmgjidlcdnoagoakfejjabomempkjlepdflaleeobhblgmpcpglpngdoalbgeoldeajfclnhafaghpilmjholiicaobfjdkefcogmgaabifebfidpplhabeedpnhjnobghokpiiooljmfgccjchihfkkindfppnaooecgfneiii
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2024/12/technical-analysis-of-riseloader/
