This Adorable Printer Shipped With Bitcoin-Stealing Malware

Printer brand Procolored unintentionally bundled malware with its official software for approximately six months. The full impact of this incident is still unknown, though customers should take action to ensure that their machines are not infected.

Procolored occupies a strong foothold in the UV printing, direct-to-garment (DTG) printing, and direct-to-film (DTF) printing niche. Its products cost several thousand dollars and primarily appeal to small business owners who want to print shirts, stickers, or other apparel at scale.

Reports of malware-infected Procolored drivers began cropping up in Reddit communities earlier this year. That said, the problem didn’t receive much attention until May 13th, when YouTuber Cameron Coward (Serial Hobbyism) published his review of a $7k Procolored printer at Hackster.io. Coward encountered Windows Defender antivirus warnings when attempting to download vendor-supplied software for a Procolored UV Printer—one package contained a Floxif virus, while another was flagged for a worm.

Naturally, Coward reached out to Procolored for support. But he was told that Windows Defender made a mistake. So, he asked third-party analysts, including Karsten Hahn, Principle Malware Researcher at G DATA CyberDefense, to look the files. The analysts concluded that 39 files distributed through Procolored’s Mega file distribution page were inundated with XRedRAT and SnipVex malware.

XRedRat is a known virus that allows threat actors to remotely access infected machines. It can capture screenshots, log keystrokes, view hard disk contents, and manipulate or delete files. However, this version of XRedRat is no longer capable of facilitating a remote connection, as its backend went offline in February 2024, long before Procolored began distributing infected software packages.

SnipVex is a bit more interesting—it’s a previously-unknown clipper malware that spreads itself across machines or networks by infecting executable files. Once it’s on a machine, it redirects cryptocurrency transactions to a malicious Bitcoin address, which then launders the money to reduce traceability. This address has received a total of 9.30 Bitcoin, which works out to about $100k USD, though transactions stopped on March 3rd, 2024.

Curiously, analysts did not encounter Floxif malware on Procolored’s downloads page. Cameron Coward ran into Floxif when installing software from a USB stick supplied by Procolored, so this discrepancy may be due to differences between software executable versions.

In any case, Floxif and XRedRat are known viruses that should be flagged by any competent antivirus software. Karsten Hahn believes that the presence of these viruses is a sign of extremely poor cybersecurity within Procolored. He believes that employees at the company used infected machines to upload official software packages, thereby spreading the infection to customers.

There is no evidence of intentional malfeasance from Procolored. If the company wanted to hack into customers’ computers or hijack BitCoin transactions, it wouldn’t use outdated malware to do so. XRedRat and SnipVex no longer provide remote access or Bitcoin-stealing functionality. Their only remaining function is self-replication.

Procolored took down its software downloads page and kicked off an internal investigation on May 8th. It now acknowledges that it accidentally distributed malware, and its official explanation is that “the software hosted on our website was initially transferred via USB drives … it is possible that a virus was introduced during this process.” The Procolored downloads page came back online a few days ago, and third-party analysts confirm that its software packages are now free from malware.

Related

I’ve Abandoned Third-Party Antivirus and I’m Never Looking Back

More powerful and less bloated, Microsoft Security is built into Window and works incredibly well.

Still, this story doesn’t inspire confidence in Procolored. The company failed to protect itself from basic cybersecurity threats and unwittingly sent malware to customers for nearly six months. I’m also inclined to point out an interesting footnote in Cameron Coward’s review; “I contacted Procolored support four times over the course of my testing, for help with figuring out the software and settings. Every single time, the agent requested multiple times that I allow them to connect remotely to my computer.”

Again, this old malware is easily detectable by Windows Defender and other antivirus solutions. The big concern here is that Procolored customers may have ignored antivirus warnings when setting up a printer or installing new drivers. If you purchased a Procolored device after November 2024, check to see if there are any exceptions in your antivirus software—an exception for Visual C++ or PrintExp may indicate an infection.

Your antivirus software should be able to remove XRedRat and Floxif infections, but SnipVex was only discovered a week ago, so it may remain undetectable. You’ll need to format your drives and reinstall your operating system to clear the infection—SnipVex can’t steal Bitcoin anymore, but it will damage your PC through replication. I suggest that affected customers read Karsten Hahn’s coverage at G Data Cybersecurity, which includes some details that may aid in file recovery.

We’ve reached out to Procolored for a statement and will update this article if we receive a response.

Source: Hackster.io & G DATA CyberDefense via BleepingComputer