Technical Analysis of RiseLoader

Tags

External References

• https://www.zscaler.com/
• https://otx.alienvault.com/

Description

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects information about installed applications and browser extensions related to cryptocurrency. RiseLoader's network communication protocol involves exchanging various message types with the C2 server, including system information, payload instructions, and task execution status. The similarities between RiseLoader and RisePro suggest they may be developed by the same threat actor, with RiseLoader potentially still in development for future information stealing and anti-analysis features.

Date