Technical Analysis of RiseLoader

SUMMARY :

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects information about installed applications and browser extensions related to cryptocurrency. RiseLoader's network communication protocol involves exchanging various message types with the C2 server, including system information, payload instructions, and task execution status. The similarities between RiseLoader and RisePro suggest they may be developed by the same threat actor, with RiseLoader potentially still in development for future information stealing and anti-analysis features.

OPENCTI LABELS :

vidar,cryptocurrency,xmrig,lumma stealer,risepro,malware loader,socks5systemz,riseloader


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Technical Analysis of RiseLoader