RiseLoader Propose Change

RiseLoader is a new malware loader family first observed in October 2024. It uses a custom TCP-based binary network protocol similar to, but distinct from, that used by the PrivateLoader and RisePro malware families. RiseLoader often drops other malware families, such as Vidar, Lumma Stealer, and XMRig, as secondary payloads. It collects information about installed applications and browser extensions, likely related to cryptocurrency.

Key technical characteristics of RiseLoader include:

Anti-analysis Techniques: Samples are often packed with VMProtect and obfuscate strings related to malware analysis and debugging tools.

Behavioural Analysis: Creates a mutex with a hardcoded prefix and randomly generated suffixes. Communicates with a C2 server over TCP using a custom protocol involving specific message types for tasks such as transferring system information, receiving payloads, and confirming execution. Downloads and executes payloads from URLs provided by the C2 server. Creates registry keys as infection markers.

Network Communication: Uses a custom TCP-based protocol with message types like SEND_VICTIM_INFO, SYS_INFO, PAYLOADS, KEEPALIVE, and others. Data is XOR encoded using keys exchanged via a SET_XORKEYS message. The protocol includes a three-way handshake and mechanisms for re-establishing connections.

Similarities to RisePro/PrivateLoader: Shares similar network communication protocols and message structures with RisePro and PrivateLoader suggesting a potential link between their developers, though RiseLoader's protocol appears simplified. It currently lacks RisePro/PrivateLoader's information-stealing features but may be under development.

References

There is no Yara-Signature yet.