For half a year, the website of printer company Procolored served software downloads that contained malware, cybersecurity firm GData reports.
After being tipped off by a tech writer that the USB drive containing the device’s software was infected with malware, GData analyzed the software downloads available through the company’s website, only to discover that they were infected as well.
The tech writer, Cameron Coward, had notified the printer firm of the issue, only to be told that the malware detection was likely a false positive and that there was nothing wrong with the flash drive.
GData, however, discovered that 39 software downloads, hosted on mega.nz and last updated in October 2024, had been infected with two malware families, namely an information stealer and a backdoor.
The backdoor, dubbed XRed, is written in Delphi and has worm-like behavior. The sample found in Procolored’s downloads could log keystrokes, download additional payloads, take screenshots, tamper with files, and provide a shell if requested.
The stealer, named CoinStealer, targets cryptocurrency wallets but can also replace cryptocurrency addresses in the clipboard with an attacker’s address, to divert funds to the attacker during transfers.
However, GData discovered that the stealer is also a virus that targets executable files, prepending itself to them, and then moves the infected files to the host’s original location.
According to the cybersecurity firm, XRed bundles the virus, dubbed SnipVex, which leads to a “superinfection”, as the target system ends up hosting multiple self-replicating malware families.
“The virus infection also explains why a total of 39 files in the downloads section of Procolored were infected. SnipVex likely replicated itself on a developer’s system or the build servers,” GData explains.
A look at the cryptocurrency address the stealer would replace a victim’s address with in the clipboard reveals that it received over 9 Bitcoin (valued at more than $900,000).
Although it initially denied a possible malware infection, Procolored removed the software downloads from its website, saying it was investigating them and that it would repost them if found clean.
The company told GData that the software hosted on its website was initially transferred using a flash drive, and that the virus could have been introduced during the process.
SecurityWeek has contacted Procolored for a statement on the matter and will update this article if a reply arrives.
Related: Infostealer Infections Lead to Telefonica Ticketing System Breach
Related: Snowflake Attacks: Mandiant Links Data Breaches to Infostealer Infections
Related: Police Warn Hundreds of Online Merchants of Skimmer Infections
Related: NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections
