A number of GitHub repositories posing as cracked software program codes have been discovered trying to drop the RisePro info-stealer onto sufferer programs.
The marketing campaign delivers a brand new variant of the RisePro info-stealing malware designed to crash malware evaluation instruments like IDA and ResourceHacker.
G Data CyberDefense, the German cybersecurity firm that made the invention, reported that it had discovered at the least 13 such repositories belonging to a RisePro stealer marketing campaign that was named Gitgub by the risk actors. The repositories are all comparable, and embody a README.md file promising free cracked software program.
Bloated installer for evasion
In an effort to complicate the evaluation of the malware by reverse engineering, the marketing campaign used an installer that was bloated to 699 MB. The bloating was achieved by repeat blocks of code throughout the authentic installer.
“The visualization of the pattern by PortexAnalyzer exhibits that the bloat is non-trivial. Whereas many bloated recordsdata characteristic appended zero bytes, this file has excessive entropy and no overlay,” G Data wrote in a report on the marketing campaign. “Figuring out that the self-extracting archive from which we unpacked the pattern compressed this file to 70 MB, we suspected a repeating sample.”
The bloated information resided in a uncooked information useful resource named MICROSOFTVISUALSTUDIODEBUGGERI, which was eliminated utilizing CFF Explorer to squeeze the file right down to its authentic 3.43 MB.
