Recent RisePro is packed with ENIGMA and shipped from CAB loader
Hello~~, this is morimolymoly!
This time, I will give you some recent updates of RisePro features updates!
Dropped by CAB loader
This CAB loader has two binaries.
This loader first executes 3Eb73mM.exe.
Funny AutoIT program
3Eb73mM.exe is an AutoIT program.
You can extract script from this binary with Autoit-Ripper.
It opens google, facebook, youtube…What the hell are you doing?
Next one is 5up4SW7.exe!
Here as you can see, This binary is protected by ENIGMA!
At Process Tree, you can see RisePro was executed and made persistence with scheduled task!
YARA also indicated this is RisePro.
At this time, I don’t unpack ENIGMA because of this article is for focusing on interesiting points of this attack chain.
Funny Feature of new rising RisePro
Same hash end enigma protected binary was droppped!
- MaxLoonaFest131.exe
- FANBooster131.exe
- OfficeTrackerNMP131.exe
They are all RisePro and it is packed by ENIGMA.
I had looked tons of detonations, it indicates that recent RisePro has same indicators.
Conclusion
- CAB loader is used and it connects to youtube, facebook, google
- Recent RisePro is packed by ENIGMA
- RisePro copy itself and it is also packed by ENIGMA(FANBooster131.exe, MaxLoonaFest131.exe, OfficeTrackerNMP131.exe)