.png)
Procolored, a Chinese printer manufacturer, has been sending
infecting its customers with backdoors, infostealers, and cryptocurrency
stealers - for six months. This information comes from cybersecurity
researchers at G Data, who were alerted to the supply chain attack by a
technical author and content creator, Cameron Coward.
Apparently, Coward wanted to review one of Procolored’s
printers. After attempting to install the accompanying software from a USB
stick, he was alerted to the presence of the Floxif worm. He reached out to the
company who dismissed the warning as a false positive. Unsatisfied with this
response, Coward turned to Reddit, where his thread was picked up by G Data‘s
cyber security researchers.
G Data, however, discovered that 39 software downloads, hosted on mega.nz and last updated in October 2024, had been infected with two malware families, namely an information stealer and a backdoor.
1.Win32.Backdoor.XRedRAT.A
2.MSIL.Trojan-Stealer.CoinStealer.H
The backdoor, dubbed XRed, is written in Delphi and has
worm-like behavior. The sample found in Procolored’s downloads could log
keystrokes, download additional payloads, take screenshots, tamper with files,
and provide a shell if requested.
The stealer, named CoinStealer, targets cryptocurrency
wallets but can also replace cryptocurrency addresses in the clipboard with an
attacker’s address, to divert funds to the attacker during transfers.
The researchers also identified six of the firm's product lines infected with malware: F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro.
.png)