Researchers have uncovered a cryptocurrency-targeting infostealer hiding in the cracks of pirated software, so while you may save a few dollars up front, you may lose a lot more in the long run.

RisePro is new information-stealing malware discovered by two different cybersecurity companies, Flashpoint and Sekoia.

RisePro uses the PrivateLoader pay-per-install (PPI) malware distribution service to infect endpoints, and it spreads via websites that host pirated software, cracks, loaders, and other illegal content.

Info theft involving cryptocurrency accounts

Researchers found many similarities between RisePro and PrivateLoader, leading them to the conclusion that RisePro is the malware distribution platform’s new infostealer. They also found that it relies on the same system of embedded DLL dependencies as Vidar, suggesting that the two were based on each other.

Google Chrome, Mozilla Firefox, Authenticator, MetaMask, and Coinbase are just some of the browsers and extensions that RisePro searches for information from (and 26 other browser extensions). As an added bonus, it can scan filesystem folders for valuable data, such as holding credit card information, and steals data from services like Discord, Battle.net, and Authy Desktop.

On Russian dark web markets, criminals are reportedly already selling RisePro logs containing sensitive, personally identifiable data, as reported by Flashpoint. Interacting with the threat actors’ Telegram bot allows those interested in purchasing the logs or the tool to do so.

PrivateLoader, according to the researchers, is a pay-per-install malware distribution service that typically masquerades as a software crack or keygen. RedLine Stealer and Raccoon are both widely used by cybercriminals, but until now PrivateLoader only distributed these two.

Protecting yourself from such dangers is easiest if you never download any illegal content and only use software from trusted, official sources. A reliable anti-virus programme is also recommended.