{"id":6274,"date":"2023-11-28T08:08:08","date_gmt":"2023-11-28T08:08:08","guid":{"rendered":"\/cybersecurity-blog\/?p=6274"},"modified":"2025-07-17T08:27:24","modified_gmt":"2025-07-17T08:27:24","slug":"risepro-malware-communication-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/risepro-malware-communication-analysis\/","title":{"rendered":"RisePro Malware Analysis: Exploring C2 Communication of a New\u00a0Version"},"content":{"rendered":"\n

RisePro is a malware-as-a-service info-stealer, first identified in 2022. Recently, we’ve detected a spike in it’s activity and decided to conduct an investigation, which led to interesting findings. <\/p>\n\n\n\n

RisePro is a well-documented malware, but we quickly realized that the network traffic patterns of our samples did not match the existing literature. It seemed like we had a new version on our hands. <\/p>\n\n\n\n

Further analysis revealed that RisePro changed the way it communicates with C2 and that it has gained new capabilities \u2014 in particular, remote-control functions, making it capable of operating as a RAT. <\/p>\n\n\n\n

This article will focus on this malware’s new network communication patterns, but first, a quick refresher about what RisePro malware is. <\/p>\n\n\n\n

What is RisePro malware?<\/h2>\n\n\n\n

RisePro, an information-stealing malware, was first detected by cybersecurity firms Flashpoint and Sekoia. It is distributed through fake cracks sites operated by the PrivateLoader pay-per-install (PPI) malware distribution service. It is designed to steal credit cards, passwords, and crypto wallets from infected devices. <\/p>\n\n\n\n

RisePro is potentially based on the Vidar password-stealing malware and it employs a system of embedded DLL dependencies. RisePro’s modus operandi includes fingerprinting the compromised system, writing stolen data to a text file, taking screenshots, and then bundling and sending this data to the attacker’s server. <\/p>\n\n\n\n

The PrivateLoader service, which distributes RisePro, is known for disguising malware as software cracks, key generators, and game modifications. It was first spotted by Intel471 in February 2022. Sekoia’s findings indicate<\/a> that RisePro shares significant code overlaps with PrivateLoader, suggesting a deeper connection between the two. <\/p>\n\n\n\n

Like we said earlier, our analysis focuses on the recent changes in RisePro’s C2 communication and network traffic patterns of its latest version, which differ drastically from previous iterations. <\/p>\n\n\n\n

Traffic analysis of the new RisePro malware sample <\/h2>\n\n\n\n

There\u2019s a big change to highlight right of the bat. Our sample uses custom protocol over TCP for communication. <\/strong> This indicates a complete overhaul of the communication method, which previously transmitted instructions over HTTP. <\/p>\n\n\n\n

Let\u2019s start our deep dive into this variant\u2019s communication patterns. Here\u2019s a screenshot of a network packet from ANY.RUN online malware sandbox,<\/a> which was the starting point of our investigation:<\/p>\n\n\n\n

 <\/p>\n\n\n

\n
\"\"
Comparing encrypted (left) and decrypted (right) packet content<\/figcaption><\/figure><\/div>\n\n\n

Upon examining the packet bytes (right column), it’s evident that the traffic is encrypted, making it indecipherable. The first task, then, was to decrypt it. <\/p>\n\n\n\n

Sekoia researchers have already cracked<\/a> this encryption, so, to start, we decided to try and apply their decryption algorithm. Surprisingly, it successfully decrypted the data. This means the same encryption is still used. <\/p>\n\n\n\n

The encryption algorithm is a basic substitution cipher followed by XOR with key 0x36. By Testing it with different ports we were able to find multiple keys. For example, the key for port 50500 is 0x36, and for port 50505 it is 0x79. Interestingly, opcodes take on different meanings depending on the port. In this article we will provide examples for port 50500. <\/p>\n\n\n\n

Diving deeper in the packet analysis <\/h2>\n\n\n\n

But let’s get back to the traffic analysis. Since we decrypted the TCP stream, we can begin to understand the structure of each packet.<\/p>\n\n\n

\n
\"\"
Each packet has 3 blocks that follow a set pattern<\/figcaption><\/figure><\/div>\n\n\n

In the image above, we see several packets (the first being the initialization packet). Three distinct blocks are noticeable, following a clear pattern. We can represent this structure as follows: <\/p>\n\n\n

\n
\"\"
Packet structure<\/figcaption><\/figure><\/div>\n\n\n
    \n
  • The first 4 bytes, labeled as magic<\/strong>, are always repeated and determine the beginning of the packet. <\/li>\n\n\n\n
  • The next 4 bytes define the length of the data attached to the packet, labeled as payload_len<\/strong>. <\/li>\n\n\n\n
  • And, as you can see from the screen above, immediately following is packet_type<\/strong>. <\/li>\n<\/ul>\n\n\n\n

    During the analysis, we discovered the following packet_types, <\/strong>which represent various opcodes: <\/p>\n\n\n\n

    \n \n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n
    \n Packet type\u00a0 <\/th>\n \n Value\u00a0 <\/th>\n \n Payload\u00a0 <\/th>\n \n Description\u00a0 <\/th>\n <\/tr>\n
    \n SERVER_PING\u00a0 <\/td>\n \n 0x2710\u00a0 <\/td>\n \n (OPTIONAL) text string\u00a0 <\/td>\n \n Default response, \u00a0Keep-Alive (heartbeat)\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_PING\u00a0 <\/td>\n \n 0x2711\u00a0 <\/td>\n \n \u00a0 <\/td>\n \n Keep-Alive (heartbeat)\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_INIT\u00a0 <\/td>\n \n 0x2712\u00a0 <\/td>\n \n 24 bytes string \u00a0 <\/td>\n \n Server Hello \u00a0 <\/td>\n <\/tr>\n
    \n SET_TIMEOUT\u00a0 <\/td>\n \n 0x2713\u00a0 <\/td>\n \n Number string\u00a0 <\/td>\n \n Server\/client timeout for action (e.g. upload)\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_REQUEST_FILE\u00a0 <\/td>\n \n 0x2714\u00a0 <\/td>\n \n File name (string)\u00a0 <\/td>\n \n Request file from server <\/td>\n <\/tr>\n
    \n SERVER_SEND_FILE\u00a0 <\/td>\n \n 0x2715\u00a0 <\/td>\n \n File name, compressed file (zlib)\u00a0 <\/td>\n \n Used by server to send additional libraries\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_CONFIRM_IP\u00a0 <\/td>\n \n 0x2716\u00a0 <\/td>\n \n Response string\u00a0 <\/td>\n \n IP receive confirmation\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_SEND_MARKS\u00a0 <\/td>\n \n 0x2717\u00a0 <\/td>\n \n JSON string\u00a0 <\/td>\n \n List of marks configs\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_CONFIRM_MARKS\u00a0 <\/td>\n \n 0x2718\u00a0 <\/td>\n \n Response string\u00a0 <\/td>\n \n Marks receive confirmation\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_SEND_GRAB_CONFIG\u00a0 <\/td>\n \n 0x2719\u00a0 <\/td>\n \n JSON string\u00a0 <\/td>\n \n Settings and grabbers\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_CONFIRM_GRAB_CONFIG\u00a0 <\/td>\n \n 0x271A\u00a0 <\/td>\n \n Response string\u00a0 <\/td>\n \n Settings receive confirmation\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_SEND_LOADER_CONFIG\u00a0 <\/td>\n \n 0x271B\u00a0 <\/td>\n \n JSON string\u00a0 <\/td>\n \n List of loader configs, includes urls and execution conditions\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_CONFIRM_LOADER_CONFIG\u00a0 <\/td>\n \n 0x271C\u00a0 <\/td>\n \n Response string\u00a0 <\/td>\n \n Loader configs receive confirmation\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_SET_FILE_FILTER\u00a0 <\/td>\n \n 0x271D\u00a0 <\/td>\n \n JSON string\u00a0 <\/td>\n \n List of file filtration rules\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_CONFIRM_LOADER_EXECUTION\u00a0 <\/td>\n \n 0x271E\u00a0 <\/td>\n \n Name from loader config\u00a0 <\/td>\n \n Confirmation of execution load target from particular config\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_SEND_FILE\u00a0 <\/td>\n \n 0x271F\u00a0 <\/td>\n \n File name, response string, build id, compressed file (zip)\u00a0 <\/td>\n \n Exfiltrated files in archive with name representing geolocation and IP address\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_INIT\u00a0 <\/td>\n \n 0x2720\u00a0 <\/td>\n \n (OPTIONAL) text string\u00a0 <\/td>\n \n Client Hello, optional authentication in format \u201c{HWID}|{response string}\u201d\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_SEND_IP\u00a0 <\/td>\n \n 0x2721\u00a0 <\/td>\n \n IP string\u00a0 <\/td>\n \n Used by server to send client\u2019s public IP\u00a0 <\/td>\n <\/tr>\n
    \n CLIENT_SEND_UNKNOWN\u00a0 <\/td>\n \n 0x2722\u00a0 <\/td>\n \n \u00a0 <\/td>\n \n Mentioned in code, not used\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_SEND_UNKNOWN\u00a0 <\/td>\n \n 0x2723\u00a0 <\/td>\n \n \u00a0 <\/td>\n \n Mentioned in code, not used\u00a0\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_SEND_HWID\u00a0 <\/td>\n \n 0x2724\u00a0 <\/td>\n \n HWID string\u00a0 <\/td>\n \n Used by server to send HWID as step of HVNC maintenance\u00a0 <\/td>\n <\/tr>\n
    \n SERVER_SEND_FORCE_QUIT\u00a0 <\/td>\n \n 0x272B\u00a0 <\/td>\n \n \u00a0 <\/td>\n \n Force client to call ExitProcess(0)\u00a0 <\/td>\n <\/tr>\n <\/table>\n<\/div>