Printer Firm Distributes Malicious Drivers Contaminated with XRed Malware

Procolored, a printer manufacturing firm, has been discovered distributing software program drivers contaminated with malicious code, together with the infamous XRed backdoor malware.

The problem got here to gentle when Cameron Coward, a YouTuber behind the channel Serial Hobbyism, tried to evaluate a $6,000 UV printer and encountered antivirus alerts upon plugging in a USB drive containing the printer software program.

The alerts flagged a USB-spreading worm and a Floxif an infection, a extreme file infector identified for attaching itself to Transportable Executable recordsdata and spreading throughout community shares and detachable drives.

This incident prompted an in-depth investigation into Procolored’s publicly accessible software program downloads, hosted on mega.nz for six printer fashions, revealing a widespread malware distribution affecting 39 recordsdata, 20 of which had distinctive hashes.

Uncovering a Severe Safety Breach

An in depth evaluation of the contaminated recordsdata recognized two main threats: Win32.Backdoor.XRedRAT.A, a Delphi-based backdoor beforehand documented by eSentire in February 2024, and MSIL.Trojan-Stealer.CoinStealer.H, a .NET-based clipbanker dubbed SnipVex.

The XRed backdoor, current in recordsdata like PrintExp.exe (SHA256: 531d08606455898408672d88513b8a1ac284fdf1fe011019770801b7b46d5434), facilitates keylogging, file downloads, screenshots, and distant command execution through a cmd.exe shell.

Curiously, its command-and-control servers have been offline since early 2024, limiting lively distant exploitation dangers.

Nonetheless, the SnipVex virus, a prepending file infector, poses a persistent risk by focusing on .exe recordsdata throughout logical drives, changing Bitcoin addresses within the clipboard to divert transactions to the attacker’s pockets, which blockchain information present gathered roughly $100,000.

SnipVex’s an infection mechanism contains an an infection marker (0x0A 0x0B 0x0C) to forestall superinfection and avoids system directories like %TEMP%, however its presence in legit software program bundles suggests negligence in Procolored’s construct or distribution methods, possible resulting from absent or failed antivirus scanning.

Malware Particulars and Potential Influence

Procolored initially dismissed the antivirus alerts as false positives however eliminated the downloads from their web site round Might 8, 2025, after persistent issues.

Upon being supplied with detailed malware evaluation, the corporate acknowledged the potential of an infection throughout USB-based software program transfers and dedicated to rigorous safety checks earlier than re-uploading recordsdata.

They’ve since offered clear software program packages to affected customers and issued steering for patrons to revoke any antivirus exclusions set for his or her software program.

For these doubtlessly contaminated, consultants suggest a full system reformat and OS reinstallation because of the irreversible injury brought on by file infectors like SnipVex, although unique recordsdata could also be recoverable by truncating the virus payload in non-superinfected situations.

In line with the Report, this case underscores the essential want for strong safety practices in software program distribution, particularly for {hardware} distributors whose merchandise are trusted by customers.

Whereas hypothesis about intentional malware planting exists, the outdated nature of XRed and the inactive C2 infrastructure counsel unintentional contamination over malice.

Procolored’s ongoing efforts to remediate the difficulty are a step ahead, however the incident serves as a cautionary story for customers to stay vigilant about software program sources, even from official distributors.

Indicators of Compromise (IoCs)

Discover this Information Fascinating! Observe us on Google Information, LinkedIn, & X to Get Immediate Updates!