RisePro TCP v.0.1

Jane0sint · June 13, 2023, 8:17pm

Hi, it’s me again! And here’s what I brought you. Few rules for RisePro, protocol is TCP in this version instead of HTTP. Maybe it’s just a setting, I don’t know yet there is no builder. Xor encryption is the same as HTTP is 0x36 - one byte. Look at my tweet,

There I tried to combine commands with bytes from the protocol, I could have messed up, although it’s unlikely with a request to load the configuration and exfiltrate.

And so here are the rules:

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (Token)";flow: established, to_client; stream_size: server, =, 37; dsize: 36; content: "|18 00 00 00 12 27 00 00|";offset: 4; depth: 8; classtype: command-and-control; reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10; sid: 8000175; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (External IP)";flow: established, to_client; dsize: 19<>29; content: "|00 00 00 21 27 00 00|";offset: 5; depth: 8; classtype: command-and-control; reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10; sid: 8000176; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (Get_settings)";flow: established, to_server; dsize: 13;content: "|01 00 00 00 18 27 00 00|";offset: 4; depth: 8; classtype: command-and-control;reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10;sid: 8000177; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (Activity)";flow: established, to_server; dsize: 12;content: "|00 00 00 00 10 27 00 00|";offset: 4; depth: 8; classtype: command-and-control;reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10;sid: 8000178; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (Exfiltration)";flow: established, to_server; dsize: >1100;content: "|00 1F 27 00 00|";offset: 7; depth: 5; classtype: command-and-control;reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10;sid: 8000179; rev: 1;)

And here are a couple of additional links to samples:

Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox
Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox

Have a nice day, regards Jane.

trobinson667 · June 14, 2023, 7:31pm

Hello again! and thank you very much for your contribution to the ET ruleset. I’ve looked over the rules you provided and aside from some minor cosmetic/style changes, (e.g. spacing of options, using HOME and EXTERNAL_NET vars) nothing of substances requires modifying.

Wonderful job! We will add these rules to the ETOPEN ruleset, and credit you for the assistance.

Also, it looks like we have coverage for the HTTP version of RisePro, according to our Dalton instance. We ran the pcap from the The Risepro v.1.0 HTTP sample you provided and the following rules triggered:

[1:2042982:1] ET MALWARE Win32/RisePro CnC Command Outbound (set_file)
[1:2042983:1] ET MALWARE Win32/RisePro CnC Command Outbound (get_loaders)
[1:2042984:1] ET MALWARE Win32/RisePro CnC Command Outbound (get_marks)
[1:2042985:1] ET MALWARE Win32/RisePro CnC Command Outbound (freezeStats)
[1:2042987:1] ET MALWARE Win32/RisePro CnC Command Outbound (pingmap)
[1:2042989:1] ET MALWARE Win32/RisePro CnC Server Response M1
[1:2042990:1] ET MALWARE Win32/RisePro CnC Server Response M2
[1:2042991:1] ET MALWARE Win32/RisePro CnC Server Response M3

Thanks for everything, and if there is anything else I can do for you, let me know.

-Tony

Jane0sint · June 14, 2023, 7:57pm

Cool, I also use Dalton! And Risepro v.1.0 in open HTTP is well covered with rules, I used their sids to search for traffic in the database. Another challenge to cover encrypted HTTPS by packet length, it’s a pity this method is not quite suitable for highly loaded systems So we will use it in the sandbox
Good luck!

Jane0sint · August 15, 2023, 1:14pm

Hi, I look at the contents of the information.txt file and see that the version of the stealer has been updated, but don’t worry)) because the rules continue to work. The current versions are 0.1 0.2 and 0.4 and now I propose to change the message a little.
Perhaps something like ET MALWARE [ANY.RUN] RisePro TCP v.0.x ?
Rule numbers 2046267 2046269 2046268 2046266 2046270

Have a nice day!
Jane

jtaylor · August 17, 2023, 7:46pm

Thanks! We got those updated for todays release.

JT