Researchers uncovered a new malware loader family dubbed RiseLoader in October 2024, which leverages a custom TCP-based binary network protocol, drawing parallels to RisePro, a previously active malware known for information theft.
Unlike its predecessor, RiseLoader is primarily designed to download and execute secondary payloads, which is particularly intriguing, as the threat actor behind RisePro had publicly announced its discontinuation on Telegram in June 2024.
To evade detection and analysis, RiseLoader employs VMProtect to obfuscate its code, as it has also been observed that RiseLoader deploys a diverse range of malware strains, including Vidar, Lumma Stealer, XMRig, and Socks5Systemz, which is consistent with the malware distribution tactics of PrivateLoader.
RiseLoader actively collects information on installed applications and browser extensions related to cryptocurrency, indicating a potential focus on targeting individuals or systems involved in cryptocurrency activities.
Several different kinds of messages are used in the communication that takes place between RiseLoader and its command-and-control central server.
The client sends messages such as SEND_VICTIM_INFO, revealing details about cryptocurrency websites, wallets, and browser extensions; SYS_INFO, providing information about the infected machine; and SEND_ID_NEW_VICTIM, used to identify newly infected systems.
Certain messages, such as SL_FL_TASKS_EXECUTED and PL_TASKS_EXECUTED, are transmitted by the client in order to verify that the task execution was successful.
On the server side, responses can include new campaign IDs (CHANGE_ID), encryption keys (SET_XORKEYS), or commands to terminate execution (SEND_SHUTDOWN) or force reporting (FORCE_REPORT_SL_FL).
According to Zscaler, recent security research suggests a potential link between RiseLoader and PrivateLoader, both possibly developed by the same threat actor behind RisePro.
While behavioral similarities and dropped malware families point to a connection, RiseLoader’s distinct communication protocol aligns more closely with RisePro.
Both RiseLoader and RisePro share key characteristics in their network communication, including message structure, initialization, and payload format, which hints at a common origin, with RiseLoader likely still under development, potentially expanding its capabilities to include information theft and evasion techniques.
