Printer Company Procolored Served Infected Software for Months – Source: www.securityweek.com

For half a year, the website of printer company Procolored served software downloads that contained malware, cybersecurity firm GData reports.

After being tipped off by a tech writer that the USB drive containing the device’s software was infected with malware, GData analyzed the software downloads available through the company’s website, only to discover that they were infected as well.

The tech writer, Cameron Coward, had notified the printer firm of the issue, only to be told that the malware detection was likely a false positive and that there was nothing wrong with the flash drive.

GData, however, discovered that 39 software downloads, hosted on mega.nz and last updated in October 2024, had been infected with two malware families, namely an information stealer and a backdoor.

The backdoor, dubbed XRed, is written in Delphi and has worm-like behavior. The sample found in Procolored’s downloads could log keystrokes, download additional payloads, take screenshots, tamper with files, and provide a shell if requested.

The stealer, named CoinStealer, targets cryptocurrency wallets but can also replace cryptocurrency addresses in the clipboard with an attacker’s address, to divert funds to the attacker during transfers.

However, GData discovered that the stealer is also a virus that targets executable files, prepending itself to them, and then moves the infected files to the host’s original location.

According to the cybersecurity firm, XRed bundles the virus, dubbed SnipVex, which leads to a “superinfection”, as the target system ends up hosting multiple self-replicating malware families.

“The virus infection also explains why a total of 39 files in the downloads section of Procolored were infected. SnipVex likely replicated itself on a developer’s system or the build servers,” GData explains.

A look at the cryptocurrency address the stealer would replace a victim’s address with in the clipboard reveals that it received over 9 Bitcoin (valued at more than $900,000).

Although it initially denied a possible malware infection, Procolored removed the software downloads from its website, saying it was investigating them and that it would repost them if found clean.

The company told GData that the software hosted on its website was initially transferred using a flash drive, and that the virus could have been introduced during the process.

Responding to a SecurityWeek inquiry, Procolored confirmed that it has rescanned and verified all software on its website, that all files are clean, and that it has implemented stricter internal controls for software releases and is strengthening its quality assurance processes. 

“There is no connection between our software and any cryptocurrency theft. The malware’s command servers have been offline since February 2024, making any remote activity impossible. We have not received any user complaints regarding crypto,” Procolored said.

“Some headlines may lead readers to believe that using Procolored software could result in Bitcoin theft. That is not the case-there is no direct cause-and-effect relationship, and we have never accessed or stolen any user’s cryptocurrency,” the company continued.

The company also acknowledged that the distribution of software via USB drives in the past lacked adequate rigor and noted that it is fully committed to resolve any issues users might have. 

“We sincerely apologize to our users for any confusion or concern this software issue may have caused,” Procolored said.

It is also worth noting that GData has updated its post to point out that fresh software packages it has received from Procolored, and which are currently distributed to users, are clean.

Users can identify potential infections by looking for antivirus exclusions set for printer files. Those who were infected are advised to reformat their drives and reinstall the operating system.

*Updated with Procolored statement and additional information from GData.

Related: Infostealer Infections Lead to Telefonica Ticketing System Breach

Related: Snowflake Attacks: Mandiant Links Data Breaches to Infostealer Infections

Related: Police Warn Hundreds of Online Merchants of Skimmer Infections

Related: NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections