Full Report
For at least half a year, the official software supplied with Procolored printers included malware in the form of a remote access trojan and a cryptocurrency stealer. [...]
Analysis Summary
# Incident Report: Printer Manufacturer Distributes Malware Via Official Drivers
## Executive Summary
The printer manufacturer Procolored distributed software drivers laced with two distinct malware strains, XRedRAT and SnipVex, through their official website and hosted files on Mega.nz for an extended period, potentially since October 2024. The security breach was discovered by G Data, who found the malware in 39 driver files. Response actions included Procolored taking down the infected files and launching an internal review, recommending customers replace the software and perform thorough system scans due to the presence of file-infecting malware (SnipVex).
## Incident Details
- Discovery Date: Undisclosed (Discovered by G Data)
- Incident Date: Malware was present in files last updated October 2024, implying a compromise period of at least six months.
- Affected Organization: Procolored (Printer Manufacturer)
- Sector: Manufacturing (Printers/Hardware)
- Geography: Unknown, implied international distribution via official website/Mega.nz.
## Timeline of Events
### Initial Access
- Date/Time: Prior to October 2024 (when last updated files were contaminated).
- Vector: Unknown direct intrusion/infection of build or developer systems. Procolored suggested an infected USB drive potentially carrying "Floxif" may have been the source of contamination to developer systems.
- Details: Malware (XRedRAT and SnipVex) was embedded into software driver packages before being uploaded to the Procolored website and Mega.nz storage.
### Lateral Movement
- Details: Not explicitly detailed, but XRedRAT, given its capabilities (remote shell access), could facilitate network movement if installed. SnipVex focuses on local file infection.
### Data Exfiltration/Impact
- Data Theft: SnipVex is a clipper malware that infects executable files and replaces Bitcoin addresses in the clipboard, successfully diverting cryptocurrency; the associated address received approximately 9.308 BTC (nearly $1 million USD). XRedRAT capability includes keylogging and screenshot capturing.
### Detection & Response
- Detection: G Data identified the infected files during analysis.
- Response Actions: Procolored took down the infected software packages on May 8th and initiated an internal investigation after being alerted by G Data.
## Attack Methodology
- Initial Access: Developer/Build systems compromised, potentially via methods like Floxif delivery mechanism.
- Persistence: XRedRAT is a Remote Access Trojan, implying mechanisms for maintaining long-term illicit access.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Malware was distributed via legitimate, trusted software channels (manufacturer website/official drivers), effectively bypassing end-user security assumptions.
- Credential Access: XRedRAT capabilities include keylogging.
- Discovery: XRedRAT capabilities include remote shell access for reconnaissance.
- Lateral Movement: XRedRAT capabilities include remote shell access.
- Collection: XRedRAT capability includes screenshot capturing.
- Exfiltration: SnipVex exfiltrates cryptocurrency addresses (via clipboard replacement); XRedRAT data exfiltration methods are implied.
- Impact: Financial fraud via cryptocurrency theft; potential widespread monitoring of user systems.
## Impact Assessment
- Financial: Direct theft of approximately $1 million USD in cryptocurrency attributed to the SnipVex clipper malware (diverted payments).
- Data Breach: Keylogged data, screenshots, and potential access to user system files via XRedRAT.
- Operational: Users faced system compromise; the company faced reputational damage and had to halt software distribution and conduct comprehensive security checks.
- Reputational: Significant reputational damage due to knowingly or unknowingly distributing malware for months through official channels.
## Indicators of Compromise
*Note: URLs used for C2 communication were hardcoded in XRedRAT samples but are defanged here.*
- Network Indicators (C2): Hardcoded C2 URLs matching older XRedRAT samples. (Specific defanged URLs were not provided in the source text relating to the live C2, only reference to older samples).
- File Indicators: 39 driver files confirmed infected by XRedRAT and SnipVex.
- Behavioral Indicators: Clipboard hijacking/replacement of BTC addresses (SnipVex); Keylogging; Screenshot capturing; Remote shell access (XRedRAT).
## Response Actions
- Containment: Procolored temporarily removed all affected software from their official website on May 8th.
- Eradication: Procolored launched a comprehensive malware scan on every file and is testing clean software packages.
- Recovery: Customers were recommended to replace their existing software with confirmed clean versions and perform deep system scans, especially given SnipVex's binary alteration capability requiring deeper cleaning.
## Lessons Learned
- Supply Chain Vulnerability: The integrity of software build environments and developer workstations must be strictly enforced, as compromise at this stage bypasses most traditional perimeter defenses.
- Vendor Trust Exploitation: Distributing malware via official, trusted software channels is a highly effective method for wide-scale infection.
- Due Diligence: Procolored initially denied or downplayed the situation until confronted by G Data.
## Recommendations
- Implement rigorous zero-trust security across build and code signing environments immediately.
- Immediately halt distribution of software pending forensic verification of all build artifacts and remove third-party file hosts (Mega.nz) for official software distribution.
- Conduct mandatory, deep forensic analysis (including firmware/USB scanning) on all developer endpoints and build machines to rule out persistent threats like Floxif.
- Establish rapid, transparent communication protocols for security incidents, especially when customer trust is foundational to the business model.