Full Report
For at least half a year, the official software supplied with Procolored printers included malware in the form of a remote access trojan and a cryptocurrency stealer. [...]
Analysis Summary
# Incident Report: Procolored Software Compromise via Malware Delivery
## Executive Summary
The printer manufacturer Procolored was found to have been distributing software packages containing malware for at least six months. The compromised software, hosted on Mega.nz and the official website, contained XRedRAT (a remote access Trojan) and SnipVex (a previously undocumented BTC clipper malware). The incident was discovered by security researchers who analyzed files hosted on the company's download portal, leading to the temporary removal of all software and an internal investigation by Procolored.
## Incident Details
- Discovery Date: Implied to be prior to G Data's analysis (likely late April/early May 2024, given malware update references and May 8 takedown).
- Incident Date: Malware was shipped for at least six months, with the last update noted as October 2024 (Note: This likely means the files observed were last updated in October 2023, based on context implying the breach was ongoing/recent).
- Affected Organization: Procolored (Printer Manufacturer)
- Sector: Manufacturing/Technology (Printers/Software)
- Geography: Not explicitly disclosed, but software was likely distributed internationally.
## Timeline of Events
### Initial Access
- Date/Time: Unknown, potentially predating October 2024 build process.
- Vector: Infection of developer or build systems, potentially via a USB drive infected with **Floxif**.
- Details: The malware (XRedRAT and SnipVex) was embedded within the software packages offered for download. Procolored suggested a USB drive infected with Floxif might have introduced the initial compromise to their build environment.
### Lateral Movement
- Details: Not explicitly detailed, but the presence of XRedRAT suggests the capability for remote command and control and potential lateral movement if the initial system was connected to broader infrastructure. SnipVex focused on execution post-installation.
### Data Exfiltration/Impact
- Data Stolen: Cryptocurrency wallet addresses were targeted by the **SnipVex** clipper malware. The associated BTC wallet has received approximately 9.308 BTC (valued near $1 million USD at the time of analysis).
- **XRedRAT** impact includes the potential for keylogging, screenshot capturing, remote shell access, and file manipulation on affected customer systems.
### Detection & Response
- Detection: Discovered by security researchers (G Data) analyzing files hosted on Mega.nz and the official website.
- Response Actions: Procolored took software packages down from their official website on May 8. They launched an internal investigation and admitted the possibility of infection via a compromised USB drive (Floxif). Clean versions were provided to researchers for confirmation.
## Attack Methodology
- Initial Access: Unknown direct external vector; internal compromise suspected via infected build systems/USB drive (**Floxif** infection mechanism suggested).
- Persistence: **XRedRAT** likely established persistence on customer systems post-installation.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Not explicitly detailed regarding the malware itself, though the distribution mechanism bypassed standard software verification processes.
- Credential Access: **XRedRAT** has *keylogging* capabilities.
- Discovery: Not explicitly detailed.
- Lateral Movement: **XRedRAT** supports remote shell access.
- Collection: **SnipVex** actively monitored and replaced cryptocurrency addresses in the clipboard; **XRedRAT** could capture screenshots and manipulate files.
- Exfiltration: **SnipVex** exfiltrated stolen BTC via a hardcoded address.
- Impact: Financial loss via crypto theft; potential compromise of user systems via RAT functionality.
## Impact Assessment
- Financial: Approximately $1 million USD in stolen cryptocurrency attributed to the SnipVex operation. Potential costs related to remediation and investigation for Procolored.
- Data Breach: No explicit disclosure of PII or corporate data breach, but **XRedRAT** provides capabilities for system takeover, including screenshot capture and file manipulation on customer endpoints.
- Operational: Temporary halt in software distribution from the official Procolored website starting May 8.
- Reputational: Significant reputational damage due to knowingly (or unknowingly) distributing malware embedded in official drivers/software for months. Lack of immediate public transparency noted by BleepingComputer.
## Indicators of Compromise
- Network Indicators (Defanged): Hardcoded C2 URLs related to older **XRedRAT** samples were identified.
- File Indicators: **XRedRAT**, **SnipVex** (an undocumented clipper).
- Behavioral Indicators: Clipboard modification targeting BTC addresses (**SnipVex**); Remote shell execution, keylogging, and screenshot capturing (**XRedRAT**).
## Response Actions
- Containment: Procolored temporarily removed all potentially infected software from their official website on May 8.
- Eradication: Procolored launched a comprehensive malware scan of all software files.
- Recovery: Procolored is re-uploading software only after it passes stringent security checks. Customers are advised to replace old software and perform deep system scans, especially due to **SnipVex** binary alteration capabilities.
## Lessons Learned
- Supply Chain Risk: Relying on potentially compromised internal build systems or removable media (USB drives) creates a critical vulnerability, allowing malware to be directly integrated into trusted enterprise software distributions.
- Malware Persistence: The long duration (six months) highlights significant blind spots in Procolored’s software integrity verification process prior to hosting updates.
## Recommendations
- Implement robust code signing and integrity validation checks for all software binaries before deployment to public repositories.
- Isolate and rigorously scan all systems involved in the software build and packaging process.
- Conduct immediate, comprehensive forensic scans on all development and build machines, focusing on known malware families like Floxif, which may have served as the initial infection vector.
- Enhance customer communication protocols for immediate notification upon discovery of compromised software distribution.