RisePro TCP v.0.1

Jane0sint · June 13, 2023, 8:17pm

Hi, it’s me again! And here’s what I brought you. Few rules for RisePro, protocol is TCP in this version instead of HTTP. Maybe it’s just a setting, I don’t know yet there is no builder. Xor encryption is the same as HTTP is 0x36 - one byte. Look at my tweet,
https://twitter.com/Jane_0sint/status/1667565169461919746?s=20
There I tried to combine commands with bytes from the protocol, I could have messed up, although it’s unlikely with a request to load the configuration and exfiltrate.

And so here are the rules:

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (Token)";flow: established, to_client; stream_size: server, =, 37; dsize: 36; content: "|18 00 00 00 12 27 00 00|";offset: 4; depth: 8; classtype: command-and-control; reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10; sid: 8000175; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (External IP)";flow: established, to_client; dsize: 19<>29; content: "|00 00 00 21 27 00 00|";offset: 5; depth: 8; classtype: command-and-control; reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10; sid: 8000176; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (Get_settings)";flow: established, to_server; dsize: 13;content: "|01 00 00 00 18 27 00 00|";offset: 4; depth: 8; classtype: command-and-control;reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10;sid: 8000177; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (Activity)";flow: established, to_server; dsize: 12;content: "|00 00 00 00 10 27 00 00|";offset: 4; depth: 8; classtype: command-and-control;reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10;sid: 8000178; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] RisePro (Exfiltration)";flow: established, to_server; dsize: >1100;content: "|00 1F 27 00 00|";offset: 7; depth: 5; classtype: command-and-control;reference:md5,a1f3423e231abd59d45b2ec37f751bbc; reference:url,app.any.run/tasks/d4c145cc-6a2d-4512-9cd6-555f0f2e17ed; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RisePro, created_at 2023_06_10;sid: 8000179; rev: 1;)

And here are a couple of additional links to samples:

Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox
Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox

Have a nice day, regards Jane.

trobinson667 · June 14, 2023, 7:31pm

Hello again! and thank you very much for your contribution to the ET ruleset. I’ve looked over the rules you provided and aside from some minor cosmetic/style changes, (e.g. spacing of options, using HOME and EXTERNAL_NET vars) nothing of substances requires modifying.

Wonderful job! We will add these rules to the ETOPEN ruleset, and credit you for the assistance.

Also, it looks like we have coverage for the HTTP version of RisePro, according to our Dalton instance. We ran the pcap from the The Risepro v.1.0 HTTP sample you provided and the following rules triggered:

[1:2042982:1] ET MALWARE Win32/RisePro CnC Command Outbound (set_file)
[1:2042983:1] ET MALWARE Win32/RisePro CnC Command Outbound (get_loaders)
[1:2042984:1] ET MALWARE Win32/RisePro CnC Command Outbound (get_marks)
[1:2042985:1] ET MALWARE Win32/RisePro CnC Command Outbound (freezeStats)
[1:2042987:1] ET MALWARE Win32/RisePro CnC Command Outbound (pingmap)
[1:2042989:1] ET MALWARE Win32/RisePro CnC Server Response M1
[1:2042990:1] ET MALWARE Win32/RisePro CnC Server Response M2
[1:2042991:1] ET MALWARE Win32/RisePro CnC Server Response M3

Thanks for everything, and if there is anything else I can do for you, let me know.

-Tony

Jane0sint · June 14, 2023, 7:57pm

Cool, I also use Dalton! And Risepro v.1.0 in open HTTP is well covered with rules, I used their sids to search for traffic in the database. Another challenge to cover encrypted HTTPS by packet length, it’s a pity this method is not quite suitable for highly loaded systems So we will use it in the sandbox
Good luck!

Jane0sint · August 15, 2023, 1:14pm

Hi, I look at the contents of the information.txt file and see that the version of the stealer has been updated, but don’t worry)) because the rules continue to work. The current versions are 0.1 0.2 and 0.4 and now I propose to change the message a little.
Perhaps something like ET MALWARE [ANY.RUN] RisePro TCP v.0.x ?
Rule numbers 2046267 2046269 2046268 2046266 2046270

Have a nice day!
Jane

jtaylor · August 17, 2023, 7:46pm

Thanks! We got those updated for todays release.

JT

Jane0sint · November 23, 2023, 5:31am

Hi, I came to update the message in the rule. The release version RisePro has been released and now the note about version v.0.x is no longer relevant, I suggest removing it)

Have a nice day!
Jane.

jtaylor · November 27, 2023, 1:25pm

Thanks! Updated signature names will go out in todays release.

JT

Jane0sint · December 28, 2023, 7:14am

Hi, can I please add a link to this discussion to the rules?
Sorry I’ll have to send this message to all my threads
reference:url,community.emergingthreats.net/t/risepro-tcp-v-0-1/;

jtaylor · December 28, 2023, 6:52pm

Hi Jane,

Updates to the reference in the signatures will go out today. Thanks for bringing this up!

JT

Jane0sint · January 9, 2024, 4:24pm

I offer the following description for this threat:

RisePro is a malware-as-a-service info-stealer, first identified in 2022. It is distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service. It is designed to steal credit cards, passwords, and crypto wallets from infected devices. The current implementation of the stealer is built using its own protocol based on the TCP transport using custom encryption. The detected threat allows not only to steal client data but also to install remote control over it via HVNC.

reference:url,any.run/cybersecurity-blog/risepro-malware-communication-analysis;

This may not be the best description, but I suggest starting with this.
Best regards, Jane.

jtaylor · January 9, 2024, 6:57pm

Thanks Jane! We will get the updates out today.

JT

Jane0sint · January 10, 2024, 5:23am

Sorry, I forgot to include the rule numbers:
2046266 2046268 2046270 - Any.run
2049660 2049060 2049661 - ET

jtaylor · January 10, 2024, 12:24pm

The Any.run sids were updated yesterday as well, I updated the ET ones for todays release. Thanks Jane!

JT

Topic		Replies	Views
Inconsistency between the rules 2049660 & 2049661 and the family Rule Signatures	1	167	December 19, 2023
TONESHELL Rules Rule Signatures	6	309	January 31, 2024
RedLine Stealer beacon Rule Signatures	1	307	January 6, 2023
Possible FP: SID 2046267 ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (External IP) Feedback & Support	13	890	July 16, 2023
WhiteSnake Rule Signatures	2	185	January 31, 2024

RisePro TCP v.0.1

Related Topics