Researchers found a non-public Telegram channel-based backdoor within the data stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a duplicate of victims’ exfiltrated knowledge when utilized by different cybercriminals.
“Whereas this untrustworthy conduct is nothing new on the planet of cybercrime, the victims’ knowledge find yourself within the fingers of a number of risk actors, rising the dangers of a number of massive scale assaults to comply with,” Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross said in a brand new report.
Prynt Stealer, which came to light earlier this April, comes with capabilities to log keystrokes, steal credentials from internet browsers, and siphon knowledge from Discord and Telegram. It is bought for $100 for a one-month license and $900 for a lifetime subscription.
The cybersecurity agency evaluation of Prynt Stealer exhibits that its codebase is derived from two different open supply malware households, AsyncRAT and StormKitty, with new additions integrated to incorporate a backdoor Telegram channel to gather the data stolen by different actors to the malware’s creator.
The code chargeable for Telegram knowledge exfiltration is claimed to be copied from StormKitty, however for just a few minor modifications.
Additionally included is an anti-analysis characteristic that equips the malware to repeatedly monitor the sufferer’s course of record for processes reminiscent of taskmgr, netstat, and wireshark, and if detected, block the Telegram command-and-control communication channels.
Whereas dangerous actors have employed related knowledge stealing ways prior to now the place the malware is given away free of charge, the event marks one of many uncommon situations the place a stealer that is bought on a subscription foundation can be sending the plundered data again to its developer.
“Be aware that there are cracked/leaked copies of Prynt Stealer with the identical backdoor, which in flip will profit the malware creator even with out direct compensation,” the researchers stated.
Zscaler stated it recognized two extra variants of Prynt Stealer variants dubbed WorldWind and DarkEye written by the identical creator, the latter of which is bundled as an implant with a “free” Prynt Stealer builder.
The builder can be designed to drop and execute a distant entry trojan referred to as Loda RAT, an AutoIT-based malware that is in a position to entry and exfiltrate each system and person data, act as a keylogger, take screenshots, launch and terminate processes, and obtain further malware payloads by way of a connection to a C2 server.
“The free availability of supply code for quite a few malware households has made growth simpler than ever for much less subtle risk actors,” the researchers concluded.
“The Prynt Stealer creator went a step additional and added a backdoor to steal from their clients by hardcoding a Telegram token and chat ID into the malware. Because the saying goes, there isn’t a honor amongst thieves.”