HYAS Blog

Risepro Malware Campaign On the Rise

Written by David Brunsdon | April 22, 2024

Weekly Threat Intelligence Report

Date: April 22, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

I read this article the other day from Hacker News about a DNS-based malware campaign that used fake IP scanners in the industry-news channel. I spent some time looking into it in the HYAS Insight threat intelligence and investigation platform.

I was able to uncover the registration details, which led to a google cloud IP that was operating C2 from their email, and then to a potential actor IP in Nigeria. This led me to more exploration, and I am nowhere near done with it, so stay tuned on this!

This week, we saw a surge in activity related to the Risepro malware, particularly targeting IP address (((147.45.47.93))) - its C2 “mother ship.” This signifies a concerning development in the cyber threat landscape, as Risepro, akin to StealC, is a notorious form of stealer malware designed to exfiltrate sensitive information from compromised systems.

This threat analysis aims to provide an in-depth understanding of the Risepro malware campaign based on the provided information, focusing on the actor's tactics, techniques, and procedures (TTPs). Read on to learn what we found.

Technical Analysis:

Malware Communication:
The malware communicates with its command-and-control (C2) server located at ((((147.45.47.93))). This indicates an established infrastructure for remote control and data exfiltration. The use of non-standard HTTP ports, may suggest an attempt to evade detection by hosting on a non-standard HTTP port.

Actor Details:

  • Actor IP: ((((188.165.204.121)))) (France)
  • Actor Device User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  • AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
  • The actor's location in France indicates potential attribution, although it's important to note that threat actors often utilize proxy servers or compromised systems to obfuscate their true origin.

HYAS Insight Analysis:
HYAS Insight threat intelligence and investigation platform provided valuable intelligence regarding the actor's IP and user agent when accessing the C2 interface. This information can aid in tracking and potentially attributing the actor behind the Risepro campaign and can help security teams determine whether their organization is a target.

Risk Assessment:

Data Compromise:
Risepro malware specializes in stealing sensitive data, including credentials, financial information, and personal identifiers. The compromised data can be monetized through various means, including sale on underground forums or exploitation for fraudulent activities.

Operational Disruption:
The infiltration of Risepro malware into organizational networks can lead to operational disruptions, including system slowdowns, service outages, and loss of critical data. This can result in financial losses and damage to reputation.

Intellectual Property Theft:
Organizations storing proprietary information are at risk of intellectual property theft. Risepro malware can exfiltrate intellectual property, trade secrets, and other confidential data, leading to competitive disadvantages and loss of market position.

Mitigation Strategies:

Network Monitoring:

  • Implement robust network monitoring solutions to detect and analyze suspicious network traffic, especially to known malicious IP addresses like (((147.45.47.93))).
  • Utilize intrusion detection systems (IDS) and intrusion prevention systems (IPS) to identify and block malicious activities associated with Risepro malware.

Endpoint Protection:

  • Deploy advanced endpoint protection solutions capable of detecting and blocking malware, including fileless and polymorphic variants.
  • Conduct regular endpoint security assessments and ensure all systems are up-to-date with the latest security patches and updates.

Threat Intelligence Sharing:

  • Collaborate with threat intelligence sharing platforms and industry peers to exchange information on emerging threats, including indicators of compromise (IOCs) associated with Risepro malware.
  • Leverage threat intelligence feeds to enrich security controls and enhance threat detection capabilities.

User Awareness Training:

  • Conduct regular security awareness training for employees to educate them about the risks associated with phishing attacks, malware infections, and social engineering tactics used by threat actors.
  • Encourage employees to report suspicious emails, attachments, or website links to the IT security team for further investigation.

Conclusion:

The Risepro malware campaign poses a significant threat to organizations worldwide, with the potential for data theft, operational disruption, and intellectual property loss. By leveraging threat intelligence, implementing robust security measures, and fostering a culture of cybersecurity awareness, organizations can effectively mitigate the risks posed by Risepro malware and safeguard their digital assets against evolving cyber threats. Ongoing monitoring and proactive defense strategies are essential to stay ahead of adversaries in the ever-changing cybersecurity landscape.

Want to see some malware detonated? Join our upcoming webinar on April 30th at 10:00am PST / 1:00pm EST
Cyber Surveillance: Tracking New Malware Threats
Register here

Top Five ASNs Identified in HYAS Insight This Week

These are the top five ASNs identified in our HYAS Insight platform this week that reveal a diverse range of cybersecurity threats, including malware activity, network compromise, and potential criminal control. Effective threat mitigation requires proactive measures, collaboration with industry peers and cybersecurity experts, and continuous monitoring of network infrastructure for signs of malicious activity. By addressing these threats promptly and comprehensively, organizations can protect their network integrity and safeguard sensitive data from cybercriminal exploitation.

ASN 8968 - BT Italia S.p.A (Albacom)

Overview:
ASN 8968, operated by BT Italia S.p.A (formerly known as Albacom), is a telecommunications company serving the Italian market. Despite its legitimate business operations, the ASN exhibits a concerning trend of significant malware activity within its network.

Analysis:
The global internet area covered by ASN 8968 indicates a broad reach, making it an attractive target for cybercriminals seeking to exploit vulnerabilities in network infrastructure. The presence of malware activity suggests potential security weaknesses within the network, necessitating robust security measures to mitigate risks effectively.

Recommendations:

  • Implement strict security measures, including intrusion detection and prevention systems, to detect and block malicious activity within the network.
  • Conduct regular security audits and penetration testing to identify and remediate vulnerabilities.
  • Collaborate with cybersecurity experts to develop tailored threat mitigation strategies and enhance network security posture.

2. ASN 9318 - SK Broadband Co Ltd

Overview:
ASN 9318 is assigned to SK Broadband Co Ltd, a major ISP located in South Korea. The high frequency of malware activity associated with this ASN indicates potential security challenges within its network infrastructure.

Analysis:
Malware activity originating from ASN 9318 may indicate compromised systems within the network or serve as a transit point for malicious traffic.Prompt investigation and corrective actions, such as abuse reports to the ISP and network filtering, are necessary to curb the spread of malware and protect network integrity.

Recommendations:

  • Conduct thorough investigation to identify the source of malware activity and remediate compromised systems.
  • Establish proactive monitoring mechanisms to detect and respond to anomalous network behavior.
  • Collaborate with industry peers and cybersecurity experts to share threat intelligence and enhance network defense capabilities.

ASN 215789 - Karina Rashkovska (Ukraine)

Overview:
ASN 215789 is a small BGP network located in Ukraine, allocated earlier this year and associated with "Karina Rashkovska." Recent observations indicate a significant uptick in Risepro malware activity within its allocated IPs.

Analysis:
The surge in Risepro malware activity suggests potential security vulnerabilities or compromises within ASN 215789's network infrastructure. Immediate action is required to investigate and remediate the malware activity to prevent further harm and protect network integrity.

Recommendations:

  • Conduct thorough forensic analysis to identify the root cause of the malware activity and remediate compromised systems.
  • Enhance network security measures, including access controls and traffic filtering, to mitigate future malware threats.
  • Collaborate with law enforcement and cybersecurity experts to investigate the source of malicious activity and take legal action against threat actors.

ASN 216309 - TNSecurity (Germany/Russia)

Overview:
ASN 216309 is associated with TNSecurity, exhibiting an unusually high level of malware activity. However, abuse.ch warns that it should not be routed or peered at due to control by cybercriminals. Conflicting reports suggest origins in Germany and Russia.

Analysis:
The warning from abuse.ch indicates that ASN 216309 is under the control of cybercriminals, posing a significant threat to internet users and organizations. Blocking all IP communications with this ASN is recommended to mitigate the risk of malware infection and data compromise.

Recommendations:

  • Implement strict network filtering rules to block all traffic originating from ASN 216309.
  • Collaborate with internet service providers and cybersecurity organizations to share threat intelligence and coordinate mitigation efforts.
  • Monitor network traffic for any signs of malicious activity and take immediate action to isolate and mitigate threats.

ASN 210352 - AEZA Group LLC (Russia)

Overview:
ASN 210352 is allocated to AEZA Group LLC, registered in Russia. Malware detonations of gcleaner and redline have primarily targeted specific IPs for C2 communication, indicating a coordinated cyber threat campaign.

Analysis:
The use of gcleaner as a loader for redline stealer malware suggests a sophisticated and potentially organized cybercriminal operation. The targeting of specific IPs for C2 communication indicates a deliberate effort to compromise systems and exfiltrate sensitive data.

Recommendations:

  • Conduct thorough analysis of gcleaner and redline malware variants to understand their capabilities and propagation methods.
  • Implement network security measures, including traffic filtering and intrusion detection systems, to detect and block C2 communication attempts.
  • Enhance endpoint security controls to detect and mitigate malware infections on affected systems.


Want more threat intel on a weekly basis?

Follow HYAS on LinkedIn
Follow HYAS on X

Read last week's report:
HYAS Threat Intel Report - April 15, 2024

Sign up for the NEW (and free!) HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.  

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.
View full post