RiseLoader, a new malware family identified in October 2024, has emerged as a serious threat to Windows systems. It employs a custom TCP-based binary protocol, closely resembling its predecessor RisePro, which was discontinued in mid-2024. Despite this, RiseLoader maintains a strong connection to the threat groups behind both RisePro and PrivateLoader. Researchers have found that RiseLoader uses VMProtect for code obfuscation, making its detection and analysis more difficult. This sophisticated approach is designed to evade security tools and prolong the malware’s presence on infected systems.
RiseLoader is primarily used to distribute a variety of malicious payloads, including Vidar, Lumma Stealer, XMRig, and Socks5Systemz. These malware families are typically used for stealing sensitive data, cryptocurrency mining, and establishing persistence within compromised environments. Additionally, RiseLoader collects information on cryptocurrency-related applications and browser extensions, suggesting that it may target victims involved in digital currency transactions. This aligns with the typical modus operandi of PrivateLoader, which has also been used in similar campaigns.
The malware’s operation relies on a custom TCP-based communication protocol, where encrypted messages and XOR keys are exchanged between the infected machine and its command-and-control (C2) server. The malware sends system information and a unique identifier to the server, which then responds with payload URLs and execution instructions. Once the payloads are downloaded, RiseLoader executes them using appropriate methods, such as rundll32 for DLLs and process creation for executables. After completing its task, RiseLoader terminates but leaves behind a registry key that serves as an infection marker.
Despite sharing similarities with RisePro in its communication protocol, RiseLoader distinguishes itself with a unique handshake process and message structure. While it lacks some of the obfuscation techniques of RisePro, such as stack-based string obfuscation, it still employs effective anti-analysis features. This includes mechanisms to detect debugging tools and analysis software, ensuring that security experts have a difficult time dissecting its operation. The evolution of RiseLoader highlights the ongoing sophistication of malware families and the persistence of threat actors in refining their tactics to avoid detection.
Reference:
