Printer Company Served Customers Compromised Software For Months

In a recent report published by cybersecurity firm GData, printer manufacturer Procolored inadvertently distributed malware-infected software through its official website for approximately six months. The compromised software downloads, hosted on Mega.nz and last updated in October 2024, included 39 files embedded with two distinct malware strains: CoinStealer and XRed.

CoinStealer is designed to target cryptocurrency wallets by replacing copied wallet addresses with those of the attacker, thereby redirecting funds to attacker-controlled wallets. Additionally, it can spread laterally by infecting executable files by prepending itself to those executables, leading to further spread of the malware within the system.

XRed, on the other hand, is a Delphi-based backdoor exhibiting worm-like behavior. It possesses capabilities such as key logging, downloading additional malicious payloads, capturing screenshots, modifying files, and providing remote shell access.

Further, XRed has another surprise. The backdoor is capable of dropping malware named SnipVex, resulting in a "superinfection" scenario where multiple self-replicating malware families coexist on the infected system.

The issue came to light when tech writer Cameron Coward discovered malware on a USB drive containing Procolored's device software. Upon reporting this to the company, he was informed that the detection was likely a false positive by Procolored.

However, he was not convinced by the claim and turned to see if they could find a cybersecurity professional to provide a second opinion. In came Karsten Hahn at GData, whose subsequent analysis confirmed the presence of the malware in the software downloads available on Procolored's website.

Several other security firms have provided an excellent analysis of CoinStealer and XRed. However, using XRed to act as a dropper for SnipVex is particularly novel. The malware sample was identified as MSIL.Trojan-Stealer. CoinStealer.H, dubbed SnipVex, is a deceptively simple yet sophisticated threat.

At its core, it's a .NET-based clipbanker, a lightweight program with just eight lines of code that monitors the clipboard for Bitcoin addresses and replaces them with the attacker's address to steal cryptocurrency.

Clipbanker malware is generally defined as spyware trojan and information stealer primarily designed to monitor clipboard data, especially cryptocurrency addresses and banking details. It can also track browsing history, emails, and social media activity. Threat actors use it to replace copied crypto addresses with their own to steal funds.

Over time, it has evolved to evade detection by disabling security software, using obfuscated code, and employing persistence techniques to maintain access to infected systems.

What makes SnipVex novel is that it also functions as a self-replicating malware strain that infects .exe files. This prepending malware, which simply means it adds itself to the beginning of executables, includes several mechanisms:

• Infection marker: Uses a specific byte sequence to prevent re-infecting the same file.
• Selective infection: Skips files in %TEMP% and %APPDATA% directories and those starting with a dot.
• Infection method: Temporarily copies and modifies executables in %TEMP%, injects itself along with the original icon, and rebuilds the infected file.
• Monitoring behavior: Watches all logical drives for changes to .exe files to find new targets.

This infection mechanism led to 39 malware-infected files being distributed through Procolored's official site, likely originating from a developer or build server compromised by threat actors.

Additionally, this layered infection approach, where the SnipVex virus was embedded within files already bundled with other malware like XRed, resulted in what's a "superinfection." Such environments are common on poorly secured systems and often involve multiple self-replicating malware strains.

Lastly, the threat actor appears to have profited significantly from this attack campaign. The Bitcoin wallet tied to the malware received over 9.3 BTC, approximately 100,000 USD at the time of writing.

Procolored's Response

Despite initially denying that the software they were providing to users had been compromised with an advanced malware payload, the company took down software downloads from its website on or before May 8, 2025. At this point in the timeline, the company appears to have started an internal investigation.

GData posed several questions to Procolored, which received responses. These have been replicated here:

1. 1. How did this happen?

   The software hosted on our website was initially transferred via USB drives. It is possible that a virus was introduced during this process. Additionally, as the PrintEXP software is in Chinese by default, some international operating systems may incorrectly flag or misinterpret it as malicious, especially if the system does not handle non-English programs well.

2. 2. How will you make sure this does not happen again?

   As a precaution, all software has been temporarily removed from the Procolored official website. We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded. This is a top priority for us, and we are taking it very seriously.

3. 3. Advice for potentially affected customers:

   For the users who have reported related issues, Procolored engineers have already provided individual support and solutions. Once all software has been thoroughly reviewed and confirmed safe, we will update the website and notify customers through our official channels to download the latest version.

In conclusion, GData addressed whether the malware was planted on purpose, as some Redditors proposed, stating,

While some redditors speculate that the trojan was planted on purpose, there is no evidence to support this claim. Outdated malware with an inactive command-and-control server is not advantageous for any attacker nor does super infection make sense for this scenario. A far more plausible explanation points to the absence or failure of antivirus scanning on the systems used to compile and distribute the software packages. Procolored promises to improve this process, so that it cannot happen again.