Page cover image

Your Locally Stored Credentials On The Dark Web Market Is Only A "RisePro Stealer" Away

0.0 Preface

RisePro has been a popular information stealer family since late 2022, and after a year of relatively stable trend activity, it has hit a new peak of detections in the wild.

Ref. Alien Vault

For those who are not familiar with RisePro, it is an information stealer malware family that steals passwords, personal data, and conducts discovery activities on a victim's system.

0.1 Context

On the evening of 2024/05/08, team Unauthorized decided to begin a game of investigating RisePro behaviors in order to provide threat hunting advice and queries to blue team members, with the goal of enabling them to protect against or discover RisePro in their managed environments.

The investigation is powered by the Clean Factory project, which is a small segmented lab serving different researching purposes. In this investigation, the Active Directory (AD) portion of Clean Factory was chosen to execute the malware with appropriate containment measures taken to ensure zero-spread into the other networks.

The AD network has one Domain Controller (DC), and two end-user machines, james.doe and bob.doe (cousins of John Doe), simulating a small network environment for capturing potential lateral movement attempts by the threat sample.

James.doe will be the volunteer to have RisePro malware running.

1.0 Investigation

The malware sample located in James' Downloads folder was executed:

The chosen sample was CrossDeviceSettingsHost.exe:5cb9acbd4d0bfa2ae8a094291a44580bbcfb576042fe2328aa437d40c90f6e1c

Ref. Virus Total

The executable has been renamed to 5cb9acbd4d0bfa2ae8a094291a44580bbcfb576042fe2328aa437d40c90f6e1c.exe on the system. However, from the original PE name field we can find its original name:

Following the threat activity, the logs show a DLL load event for the vaultcli.dll file. This DLL is used by the Windows executable vaultcmd.exe which represents the Windows Credential Manager, and the DLL itself contains functions to enumerate and retrieve information from the credential vault.

By loading this DLL, the malware will be able to interact with locally stored credentials from the following categories:

  • Web-based credentials such as browser saved credentials.

  • Windows authentication data such as NTLM and Kerberos.

  • Cleartext usernames and passwords.

  • Certificate-based credentials.

The credential harvesting party began once the DLL was loaded by the info stealer, and the following files were created in the user's AppData\Local\Temp folder:

  • C:\Users\james.doe\AppData\Local\Microsoft\Edge\User Data\Login Data For Account

  • C:\Users\james.doe\AppData\Local\Temp\spanM4MirzPcGQg7\u3QPZpTYvOeuLogin Data

  • C:\Users\james.doe\AppData\Local\Temp\spanM4MirzPcGQg7\nH6z0CeluNccWeb Data

  • C:\Users\james.doe\AppData\Local\Temp\spanM4MirzPcGQg7\KH1RFY5WeUuqHistory

  • C:\Users\james.doe\AppData\Local\Temp\spanM4MirzPcGQg7\IbNTGNGbJXwKWeb Data

  • C:\Users\james.doe\AppData\Local\Temp\spanM4MirzPcGQg7\xo8GfjuCvDFqCookies

  • C:\Users\james.doe\AppData\Local\Temp\spanM4MirzPcGQg7\6byZPRVszmUKHistory

  • C:\Users\james.doe\AppData\Local\Temp\spanM4MirzPcGQg7\2pnXXiA5ls9FWeb Data

  • C:\Users\james.doe\AppData\Local\Temp\trixyM4MirzPcGQg7\passwords.txt

  • C:\Users\james.doe\AppData\Local\Temp\trixyM4MirzPcGQg7\information.txt

  • C:\Users\james.doe\AppData\Local\Temp\trixyM4MirzPcGQg7\Downloads\Edge_Default.txt

  • C:\Users\james.doe\AppData\Local\Temp\trixyM4MirzPcGQg7\Cookies\Edge_Default.txt

The dumped credential files were zipped into the same directory:

  • C:\Users\james.doe\AppData\Local\Temp\VaeaySYctF52L1rpIesEdCa.zip

Poor James Doe has had his credentials stolen!

The next part of this storyline is data exfiltration. Outbound traffic was initiated by the info stealer and three IP addresses were discovered.

147[.]45[.]47[.]126 (Russia - Karina Rashkovska)

34[.]117[.]186[.]192 (US - Google Cloud Platform)

172[.]67[.]75[.]166 (US - Cloudflare)

Among these IPs, 34[.]117[.]186[.]192 and 172[.]67[.]75[.]166 are pointing to ipinfo[.]io, which provide legitimate services.

However, 147[.]45[.]47[.]126 is the attacker controlled IP that we should be concerned about. Threat intelligence shows it is associated with RisePro as shown here:

We have also found a recent Twitter post corroborating this IP to be a part of a RisePro campaign!

This is where James' credentials went to get auctioned off!

A persistence technique was also discovered with the malicious executable dropping another threat .EXE, file RageMP131.exe, in the C:\Users\james.doe\AppData\Local\RageMP131\ folder.

Ref. Any Run

This payload was added to Windows\CurrentVersion\Run registry to maintain persistence on the victim's system.

During the entire threat storyline, system information discovery activities were also detected. The malware queried these registry entries for system information:

CPU Information:

  • HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

BIOS Information:

  • HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion

No attempts to spread in the network were detected.

1.1 Summary

From analyzing the malwares behavior we have identified the following techniques were used for credential harvesting:

  • T1555.004 - Windows Credential Manager

  • T1555.003 - Credentials from Web Browser

  • T1539 - Steal Web Session Cookie

The following persistence technique was used to maintain its persistence via the second payload:

  • T1547.001 - Registry Run Key / Startup Folder

As well as this discovery technique and data exfiltration technique that was used to read CPU and BIOS information, and to exfiltrate credential data to the attacker controlled IP:

  • T1082 - System Information Discovery

  • T1041 - Exfiltration Over C2 Channel

2.0 Threat Hunting

In this section, threat hunting queries are provided based on SentinelOne syntax and will be separated into two sections, IOC and Behavior.

We trust that translating them into other EDR/SIEM queries should not be a challenge for you. If you do need support, this online resource could lead you to the right direction.

2.1 IOC Hunting

-- IOC IP Addresses
#ip == "147.45.47.126"

-- IOC Hashes
#hash in ("5cb9acbd4d0bfa2ae8a094291a44580bbcfb576042fe2328aa437d40c90f6e1c", "8434E40891D141EF40DCAE59B9E7503066BDAA77B08B33C0E2445733BB5E17FC")

-- IOC Registy
registry.keyPath matches:anycase "\\\\Run\\\\RageMP131" OR registry.value == "RageMP131"

2.2 Behavior Hunting

-- Potentially Suspicious vaultcli.dll Module Load 
event.type == "Module Load" AND module.path contains:anycase "vaultcli.dll"

-- Potentially Suspicious IP Address Information Querying
#ip in ("34.117.186.192", "172.67.75.166") and src.process.image.path matches:anycase ("C:\\\\Temp\\\\", "\\\\Downloads\\\\", "\\\\Documents\\\\", "\\\\Desktop\\\\", "\\\\AppData\\\\Roaming\\\\")
| columns SrcProcessImage = src.process.image.path, SrcCmdline = src.process.cmdline

-- Potentially Suspicious File Operation Event
event.type in ("File Modification", "File Creation") AND src.process.image.path matches:anycase ("C:\\\\Temp\\\\", "\\\\Downloads\\\\", "\\\\Documents\\\\", "\\\\Desktop\\\\", "\\\\AppData\\\\Roaming\\\\") AND (tgt.file.path matches:anycase ("\\\\AppData\\\\Local\\\\Temp") AND tgt.file.path matches:anycase ("\.zip$", "\.txt$", "\\\\[\\w\\d]+$")) AND !(src.process.publisher contains:anycase "MicroSoft") 
| columns Host = endpoint.name, User = src.process.user, Event = event.type, SrcProcessPath = src.process.image.path, SrcCommand = src.process.cmdline, TgtFile = tgt.file.path

-- Potentially Suspicious Registry Persistence
event.type in ('Registry Key Create', 'Registry Value Create', 'Registry Key Import', 'Registry Value Modified') AND src.process.image.path matches:anycase ("C:\\\\Temp\\\\", "\\\\Downloads\\\\", "\\\\Documents\\\\", "\\\\Desktop\\\\", "\\\\AppData\\\\Roaming\\\\") AND registry.keyPath matches:anycase ("\\\\CurrentVersion\\\\Run", "Explorer\\\\[\\S]\\s*Shell", "\\\\Policies\\\\Explorer\\\\Run", "Winlogon\\\\Userinit", "Winlogon\\\\Shell", "CurrentVersion\\\\Windows", "\\\\Control\\\\Session")
| columns Host = endpoint.name, User = src.process.user, SrcImage = src.process.image.path, Hash = src.process.image.sha256, RegistryKey = registry.keyPath, RegistryValue = registry.value

3.0 Response Suggestion

For prompt response actions, the following countermeasures are advised:

  • Implement geo-blocking in a firewall to only allow authentication traffic from known countries.

  • Push password changes to affected users and ensure the new password has no relation with the previously compromised one. Follow a strong password policy.

  • Recovery from compromised status:

    • (Optional) Only remove the persistence created by the malware, and ensure all above actions were taken.

    • (Recommended) Rebuild the infected system, and ensure all above actions were taken.

Community Channels

Discord: https://discord.gg/WMFFTDPuEB

Twitter: https://twitter.com/unauthorize403

Last updated