Technical Analysis of RiseLoader

Dec. 17, 2024, 10:04 a.m.

Description

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects information about installed applications and browser extensions related to cryptocurrency. RiseLoader's network communication protocol involves exchanging various message types with the C2 server, including system information, payload instructions, and task execution status. The similarities between RiseLoader and RisePro suggest they may be developed by the same threat actor, with RiseLoader potentially still in development for future information stealing and anti-analysis features.

External References

https://www.zscaler.com/blogs/security-research/technical-analysis-riseloader
https://otx.alienvault.com/pulse/6760b26dc1a79f98980ba5d7
Tags
xmrig
cryptocurrency
lumma stealer
malware loader
vidar
risepro
socks5systemz
2024-12-16
riseloader

Date

  • Created: Dec. 16, 2024, 11:06 p.m.
  • Published: Dec. 16, 2024, 11:06 p.m.
  • Modified: Dec. 17, 2024, 10:04 a.m.

Attack Patterns

  • RiseLoader
  • Socks5Systemz
  • Lumma Stealer
  • StealC
  • XMRig
  • Vidar
  • PrivateLoader
  • RisePro