RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol similar to RisePro for downloading and executing second-stage payloads. 

Despite RisePro’s development discontinuation in June 2024, RiseLoader’s emergence suggests a potential connection to the threat group behind RisePro and PrivateLoader. 

The malware often employs VMProtect for code obfuscation and has been observed distributing various malware families, including Vidar, Lumma Stealer, XMRig, and Socks5Systemz, aligning with PrivateLoader’s modus operandi. 

It also collects information about cryptocurrency-related applications and browser extensions, further highlighting its malicious intent. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Researchers analyzed RiseLoader malware and found it uses VMProtect packer and obfuscates strings related to debuggers and analysis tools, which are present but unused, suggesting potential future implementation of anti-analysis features that check for the presence of these tools. 

Unlike its relatives, RisePro and PrivateLoader, RiseLoader currently lacks stack-based string obfuscation techniques, which establish persistence by creating a mutex and randomly selecting a C2 server and communicating with it to receive commands and payload URLs. 

It creates multiple threads to handle these operations, including one to continuously check for and process C2 commands and another to download and execute payloads from the provided URLs. 

According to Zscaler, payloads are executed using appropriate methods, such as rundll32 for DLLs and process creation for executables and once all payloads are executed, RiseLoader terminates.

RiseLoader establishes a TCP connection with a C2 server, exchanging XOR keys for encrypted communication and sending system information and a unique identifier, where the server sends payload URLs and execution instructions. 

It downloads and executes these payloads, reporting back success or failure.

Both client and server periodically send KEEPALIVE messages to maintain the connection, where the server can force a shutdown or change the campaign ID.

By establishing an encrypted connection with its C2 server, it exchanges XOR keys for secure communication and then gathers system information and sends it to the server.

Upon receiving payload URLs, it downloads and executes them, potentially creating a registry key as an infection marker. 

After payload execution, it downloads a tracking pixel and terminates. The communication protocol shares similarities with RisePro, including a custom binary TCP-based protocol with encrypted JSON messages and a similar handshake process. 

While behavioral similarities and dropped malware families point to a connection, RiseLoader’s unique communication protocol strongly aligns with RisePro’s, as this shared protocol, including message structure, initialization, and payload format, further strengthens the evidence of a common origin. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free