Malware through drivers. Don't trust Chinese products.
<
https://www.bleepingcomputer.com/news/security/printer-maker-procolored-offered-malware-laced-drivers-for-months/>
For at least half a year, the official software supplied with Procolored printers included malware in the form of a remote access trojan and a cryptocurrency stealer.
Procolored is a digital printing solutions provider making
Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers.
It is particularly known for affordable and efficient fabric printing solutions.
The Shenzhen-based company has grown quickly since it started in 2018,
and is now selling its products in over 31 countries, with a significant operational presence in the United States.
Cameron Coward, a YouTuber known as Serial Hobbyism, discovered the
malware when his security solution warned of the presence of the Floxif
USB worm on his computer when installing the companion software and
drivers for a $7,000 Procolored UV printer.
An analysis conducted by researchers at cybersecurity company G Data, Procolored’s official software packages delivered the malware for at
least six months.
Discovering RATs and coin stealers
After getting the threat alerts on his machine, Coward contacted
Procolored, who denied shipping malware in their software, pointing to
the security solution generating false positives.
"If I try to download the files from their website or unzip the files on
the USB drive they gave me, my computer immediately quarantines them,"
the YouTuber said.
Perplexed by the situation, the YouTuber turned to Reddit for help with
malware analysis before he could confidently make allegations in his
review of the Procolored V11 Pro product.
G Data researcher Karsten Hahn offered to investigate, finding that at
least six printer models (F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro)
with accompanying software hosted on the Mega file sharing platform that included contained malware.
Procolored uses the Mega service to host the software resources for its printers, and offers a direct link to them from the support section of
the official website.
The analyst found 39 files infected with:
XRedRAT – Known malware previously analyzed by eSentire. Its
capabilities include keylogging, screenshot capturing, remote shell
access, and file manipulation. Hardcoded C2 URLs matched older samples.
SnipVex – A previously undocumented clipper malware that infects .EXE
files, attaches to them, and replaces clipboard BTC addresses. Detected
in multiple download files. Likely infected Procolored developer systems
or build machines.
Since the files were last updated in October 2024, it can be assumed
that the malware was shipped with Procolored software for at least six
months.
Hahn says the address SnipVex uses to offload stolen cryptocurrency has received about 9.308 BTC, which is worth nearly $1 million at today's
exchange rate.
Despite Procolored’s initial denial, the software packages were taken
down on May 8 and an internal investigation was launched.
When G Data asked the printer vendor for an explanation, Procolored
admitted that they had uploaded the files to Mega.nz using a USB drive
that could have been infected by Floxif.
“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.
“We are conducting a comprehensive malware scan of every file. Only
after passing stringent virus and security checks will the software be re-uploaded.”
G Data received the clean software packages and confirmed they’re safe
to use.
Procolored customers are recommended to replace the old software with
the new versions and to perform a system scan to remove XRedRAT and SnipVex.
Given that SnipVex performs binary alterations, a deeper cleaning of the
system is recommended to ensure all files are clean.
BleepingComputer has contacted Procolored for a comment on the situation
and whether they informed their customers of the risk but we have yet to receive a response.
--
God be with you,
CrudeSausage
KDE, EndeavourOS & LibreOffice supporter
John 14:6
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)