"Risepro Malware Campaign On The Rise" from HYAS provides an analysis of the active threat campaign and recommended steps to prevent it, and also details the week's most active C2 traffic generators to filter and block.

David Brunsdon, HYAS Threat Intelligence Security Engineer, said: "We saw a surge in activity related to Risepro malware, particularly targeting IP address 147.45.47.93 - its C2 ‘mother ship.' This signifies a concerning development in the cyber threat landscape, as Risepro, akin to StealC, is a notorious form of stealer malware designed to exfiltrate sensitive information from compromised systems.

Risepro malware communicates with its command-and-control (C2) server located at ((((147.45.47.93))), which indicates an established infrastructure for remote control and data exfiltration. The use of non-standard HTTP ports may enable it to evade detection.

Threat Actor Details:

• Actor IP: ((((188.165.204.121)))) (France)
• Actor Device User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
• AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
• The actor's location in France indicates potential attribution, although it's important to note that threat actors often utilize proxy servers or compromised systems to obfuscate their true origin.
  

Who's hunting, and who's targeted? The team used the HYAS Insight threat intelligence and investigation platform to identify the actor's IP and user agent when the malware sought to access its C2 interface, which aids in tracking and potentially attributing the actor behind the campaign, and can also help security teams determine whether their organization is a target.

Assessing Risepro Risks:

• Data Compromise - Risepro malware is fine-tuned for stealing sensitive data, including credentials, financial information, and personal identifiers. This compromised data can be monetized through various means, including sale on underground forums or exploitation for fraudulent activities.
  

• Operational Disruption - The infiltration of Risepro malware into organizational networks can lead to operational disruptions, including system slowdowns, service outages, and loss of critical data - each scenario carries financial and reputational risks.
  

• Intellectual Property Theft - Organizations storing proprietary information are of course always at risk of intellectual property theft. Risepro malware is deployed to exfiltrate intellectual property, trade secrets, and other confidential data.
  

Mitigation Strategies:

Network Monitoring: Implementing robust network monitoring solutions can detect and analyze suspicious network traffic, especially to known malicious IP addresses like (((147.45.47.93))). It's advisable to  use intrusion detection systems (IDS) and intrusion prevention systems (IPS) to identify and block malicious activities associated with Risepro malware.

Endpoint Protection: Deploy advanced endpoint protection solutions capable of detecting and mitigating malware, including fileless and polymorphic variants. As a best practice, conduct regular endpoint security assessments and ensure all systems are as up-to-date as possible with the latest security patches and updates.

Threat Intelligence Sharing:  Best practices encourage collaborating with threat intelligence sharing platforms and industry peers to exchange information on emerging threats, including indicators of compromise (IOCs) associated with Risepro malware.

As always, security awareness training for employees on risks associated with phishing attacks, malware infections, and social engineering tactics used by threat actors is essential.

The Risepro malware campaign poses a significant threat to organizations worldwide, with the potential for data theft, operational disruption, and intellectual property loss. By leveraging threat intelligence, implementing robust security measures, and fostering a culture of cybersecurity awareness, organizations can effectively mitigate the risks posed by Risepro malware and safeguard their digital assets against evolving cyber threats. Ongoing monitoring and proactive defense strategies are essential to stay ahead of adversaries in the ever-changing cybersecurity landscape.

Live Malware Detonation: HYAS is offering a first-hand look at malware detonation on April 30th at 10:00am PST / 1:00pm EST. To join the "Cyber Surveillance: Tracking New Malware Threats" demonstration and briefing, register here: https://pages.hyas.com/webinar-cyber-surveillance-tracking-new-malware-threats-registration

The Most Active ASNs Generating C2 - Filter & Block

The top five ASNs actively generating C2 traffic reveal a diverse range of cybersecurity threats, including malware activity, network compromise, and potential criminal control. Effective threat mitigation requires proactive measures, collaboration with industry peers and cybersecurity experts, and continuous monitoring of network infrastructure for signs of malicious activity.

ASN 8968 - BT Italia S.p.A (Albacom)

ASN 8968, operated by BT Italia S.p.A (formerly known as Albacom), is a telecommunications company serving the Italian market. Despite its legitimate business operations, the ASN exhibits a concerning trend of significant malware activity within its network.

Analysis: The global internet area covered by ASN 8968 indicates a broad reach, making it an attractive target for cybercriminals seeking to exploit vulnerabilities in network infrastructure. The presence of malware activity suggests potential security weaknesses within the network, necessitating robust security measures to mitigate risks effectively.

Recommendations:

• Implement strict security measures, including intrusion detection and prevention systems, to detect and block malicious activity within the network.
• Conduct regular security audits and penetration testing to identify and remediate vulnerabilities.
• Collaborate with cybersecurity experts to develop tailored threat mitigation strategies and enhance network security posture.
  

2. ASN 9318 - SK Broadband Co Ltd

ASN 9318 is assigned to SK Broadband Co Ltd, a major ISP located in South Korea. The high frequency of malware activity associated with this ASN indicates potential security challenges within its network infrastructure.

Analysis: Malware activity originating from ASN 9318 may indicate compromised systems within the network or serve as a transit point for malicious traffic.Prompt investigation and corrective actions, such as abuse reports to the ISP and network filtering, are necessary to curb the spread of malware and protect network integrity.

Recommendations:

• Conduct thorough investigation to identify the source of malware activity and remediate compromised systems.
• Establish proactive monitoring mechanisms to detect and respond to anomalous network behavior.
• Collaborate with industry peers and cybersecurity experts to share threat intelligence and enhance network defense capabilities.
  

ASN 215789 - Karina Rashkovska (Ukraine)

ASN 215789 is a small BGP network located in Ukraine, allocated earlier this year and associated with "Karina Rashkovska." Recent observations indicate a significant uptick in Risepro malware activity within its allocated IPs.

Analysis: The surge in Risepro malware activity suggests potential security vulnerabilities or compromises within ASN 215789's network infrastructure. Immediate action is required to investigate and remediate the malware activity to prevent further harm and protect network integrity.

Recommendations:

• Conduct thorough forensic analysis to identify the root cause of the malware activity and remediate compromised systems.
• Enhance network security measures, including access controls and traffic filtering, to mitigate future malware threats.
• Collaborate with law enforcement and cybersecurity experts to investigate the source of malicious activity and take legal action against threat actors.
  

ASN 216309 - TNSecurity (Germany/Russia)

ASN 216309 is associated with TNSecurity, exhibiting an unusually high level of malware activity. However, abuse.ch warns that it should not be routed or peered at due to control by cybercriminals. Conflicting reports suggest origins in Germany and Russia.

Analysis: The warning from abuse.ch indicates that ASN 216309 is under the control of cybercriminals, posing a significant threat to internet users and organizations. Blocking all IP communications with this ASN is recommended to mitigate the risk of malware infection and data compromise.

Recommendations:

• Implement strict network filtering rules to block all traffic originating from ASN 216309.
• Collaborate with internet service providers and cybersecurity organizations to share threat intelligence and coordinate mitigation efforts.
• Monitor network traffic for any signs of malicious activity and take immediate action to isolate and mitigate threats.
  

ASN 210352 - AEZA Group LLC (Russia)

ASN 210352 is allocated to AEZA Group LLC, registered in Russia. Malware detonations of gcleaner and redline have primarily targeted specific IPs for C2 communication, indicating a coordinated cyber threat campaign.

Analysis: The use of gcleaner as a loader for redline stealer malware suggests a sophisticated and potentially organized cybercriminal operation. The targeting of specific IPs for C2 communication indicates a deliberate effort to compromise systems and exfiltrate sensitive data.

Recommendations:

• Conduct thorough analysis of gcleaner and redline malware variants to understand their capabilities and propagation methods.
• Implement network security measures, including traffic filtering and intrusion detection systems, to detect and block C2 communication attempts.
• Enhance endpoint security controls to detect and mitigate malware infections on affected systems.
  

To sign up for the HYAS Insight intel feed, visit https://pages.hyas.com/hyas-insight-intel-feed-registration