For half a yr, the web site of printer firm Procolored served software program downloads that contained malware, cybersecurity agency GData studies.
After being tipped off by a tech author that the USB drive containing the system’s software program was contaminated with malware, GData analyzed the software program downloads obtainable by means of the corporate’s web site, solely to find that they have been contaminated as nicely.
The tech author, Cameron Coward, had notified the printer agency of the difficulty, solely to be instructed that the malware detection was probably a false constructive and that there was nothing incorrect with the flash drive.
GData, nonetheless, found that 39 software program downloads, hosted on mega.nz and final up to date in October 2024, had been contaminated with two malware households, specifically an info stealer and a backdoor.
The backdoor, dubbed XRed, is written in Delphi and has worm-like conduct. The pattern present in Procolored’s downloads may log keystrokes, obtain further payloads, take screenshots, tamper with recordsdata, and supply a shell if requested.
The stealer, named CoinStealer, targets cryptocurrency wallets however may also change cryptocurrency addresses within the clipboard with an attacker’s handle, to divert funds to the attacker throughout transfers.
Nonetheless, GData found that the stealer can be a virus that targets executable recordsdata, prepending itself to them, after which strikes the contaminated recordsdata to the host’s authentic location.
In accordance with the cybersecurity agency, XRed bundles the virus, dubbed SnipVex, which results in a “superinfection”, because the goal system finally ends up internet hosting a number of self-replicating malware households.Commercial. Scroll to proceed studying.
“The virus an infection additionally explains why a complete of 39 recordsdata within the downloads part of Procolored have been contaminated. SnipVex probably replicated itself on a developer’s system or the construct servers,” GData explains.
A have a look at the cryptocurrency handle the stealer would change a sufferer’s handle with within the clipboard reveals that it acquired over 9 Bitcoin (valued at greater than $900,000).
Though it initially denied a attainable malware an infection, Procolored eliminated the software program downloads from its web site, saying it was investigating them and that it could repost them if discovered clear.
The corporate instructed GData that the software program hosted on its web site was initially transferred utilizing a flash drive, and that the virus may have been launched throughout the course of.
SecurityWeek has contacted Procolored for a press release on the matter and can replace this text if a reply arrives.
Associated: Infostealer Infections Result in Telefonica Ticketing System Breach
Associated: Snowflake Assaults: Mandiant Hyperlinks Information Breaches to Infostealer Infections
Associated: Police Warn A whole lot of On-line Retailers of Skimmer Infections
Associated: NSA Points Steerage on Mitigating BlackLotus Bootkit Infections
