Multiple GitHub repositories posing as cracked software codes were found attempting to drop the RisePro info-stealer onto victim systems.
The campaign delivers a new variant of the RisePro info-stealing malware designed to crash malware analysis tools like IDA and ResourceHacker.
G Data CyberDefense, the German cybersecurity company that made the discovery, reported that it had found at least 13 such repositories belonging to a RisePro stealer campaign that was named Gitgub by the threat actors. The repositories are all similar, and include a README.md file promising free cracked software.
Bloated installer for evasion
In order to complicate the analysis of the malware through reverse engineering, the campaign used an installer that was bloated to 699 MB. The bloating was done through repeat blocks of code within the original installer.
“The visualization of the sample by PortexAnalyzer shows that the bloat is non-trivial. While many bloated files feature appended zero bytes, this file has high entropy and no overlay,” G Data wrote in a report on the campaign. “Knowing that the self-extracting archive from which we unpacked the sample compressed this file to 70 MB, we suspected a repeating pattern.”
The bloated data resided in a raw data resource named MICROSOFTVISUALSTUDIODEBUGGERI, which was removed using CFF Explorer to squeeze the file down to its original 3.43 MB.