黑客在GitHub上使用破解软件传播RisePro信息窃取者

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro.

网络安全研究人员发现了许多GitHub仓库提供破解软件，用于传送名为RisePro的信息窃取软件。

The campaign, codenamed gitgub, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary.

该活动代号为gitgub，包括与11个不同账户相关联的17个仓库，据G DATA称。相关的仓库已经被这家微软旗下的子公司撤下了。

"The repositories look similar, featuring a README.md file with the promise of free cracked software," the German cybersecurity company said.

德国网络安全公司表示：“这些仓库看起来很相似，包含一个README.md文件，承诺提供免费的破解软件。”

"Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency."

Github上通常使用绿色和红色圆圈来显示自动构建的状态。Gitgub的威胁行为者在其README.md中添加了四个绿色Unicode圆圈，假装显示一个状态以及当前日期，并提供了合法性和最新性的感觉。

The list of repositories is as follows, with each of them pointing to a download link ("digitalxnetwork[.]com") containing a RAR archive file -

仓库列表如下，每个仓库指向一个下载链接（"digitalxnetwork[.]com"），包含一个RAR归档文件 -

• andreastanaj/AVAST

• andreastanaj/Sound-Booster

• aymenkort1990/fabfilter

• BenWebsite/-IObit-Smart-Defrag-Crack

• Faharnaqvi/VueScan-Crack

• javisolis123/Voicemod

• lolusuary/AOMEI-Backupper

• lolusuary/Daemon-Tools

• lolusuary/EaseUS-Partition-Master

• lolusuary/SOOTHE-2

• mostofakamaljoy/ccleaner

• rik0v/ManyCam

• Roccinhu/Tenorshare-Reiboot

• Roccinhu/Tenorshare-iCareFone

• True-Oblivion/AOMEI-Partition-Assistant

• vaibhavshiledar/droidkit

• vaibhavshiledar/TOON-BOOM-HARMONY

The RAR archive, which requires the victims to supply a password mentioned in the repository's README.md file, contains an installer file, which unpacks the next-stage payload, an executable file that's inflated to 699 MB in an effort to crash analysis tools like IDA Pro.

RAR归档文件需要受害者提供仓库的README.md文件中提到的密码，其中包含一个安装程序文件，解压下一个阶段的有效负载，一个被膨胀到699 MB以阻止IDA Pro等分析工具的可执行文件。

The actual contents of the file – amounting to a mere 3.43 MB – act as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.

文件的实际内容 - 仅为3.43 MB - 作为一个加载器，注入RisePro（版本1.6）到AppLaunch.exe或RegAsm.exe中。

RisePro burst into the spotlight in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader.

RisePro在2022年末引起关注，当时使用一种名为PrivateLoader的按安装付费（PPI）恶意软件下载器服务进行传播。

Written in C++, it's designed to gather sensitive information from infected hosts and exfiltrate it to two Telegram channels, which are often used by threat actors to extract victims' data. Interestingly, recent research from Checkmarx showed that it's possible to infiltrate and forward messages from an attacker's bot to another Telegram account.

使用C++编写，旨在从感染主机中收集敏感信息并将其转移到两个Telegram频道，这些频道经常被威胁行为者用来提取受害者的数据。有趣的是，Checkmarx的最新研究显示，可以渗透并将消息从攻击者的机器人转发到另一个Telegram账户。

The development comes as Splunk detailed the tactics and techniques adopted by Snake Keylogger, describing it as a stealer malware that "employs a multifaceted approach to data exfiltration."

Splunk详细介绍了Snake Keylogger采用的策略和技术，将其描述为一种利用多方面方法进行数据外泄的窃取恶意软件。

"The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information," Splunk said. "Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data."

Splunk表示：“FTP的使用有助于安全传输文件，而SMTP使得发送包含敏感信息的电子邮件成为可能。” 此外，与Telegram的集成提供了一个实时通信平台，允许即时传输被窃取的数据。

Stealer malware have become increasingly popular, often becoming the primary vector for ransomware and other high impact data breaches. According to a report from Specops published this week, RedLine, Vidar, and Raccoon have emerged as the most widely-used stealers, with RedLine alone accounting for the theft of more than 170.3 million passwords in the last six months.

窃取恶意软件变得越来越受欢迎，通常成为勒索软件和其他高影响数据泄露的主要途径。根据Specops本周发布的一份报告，RedLine、Vidar和Raccoon已经成为最广泛使用的窃取者，其中RedLine仅在过去六个月中就窃取了超过1.703亿个密码。

"The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats," Flashpoint noted in January 2024. "While the motivations behind its use is almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use."

Flashpoint在2024年1月指出：“目前信息窃取恶意软件的上升是对不断演变的数字威胁的鲜明提醒。虽然其使用背后的动机几乎总是根植于经济利益，但窃取者不断适应并变得更加易于获得和使用。”

参考资料

[1]https://thehackernews.com/2024/03/hackers-using-cracked-software-on.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：黑客在GitHub上使用破解软件传播RisePro信息窃取者