Researchers found a personal Telegram channel-based backdoor within the info stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a duplicate of victims’ exfiltrated information when utilized by different cybercriminals.
“Whereas this untrustworthy habits is nothing new on the planet of cybercrime, the victims’ information find yourself within the arms of a number of menace actors, rising the dangers of a number of giant scale assaults to observe,” Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross stated in a brand new report.
Prynt Stealer, which got here to mild earlier this April, comes with capabilities to log keystrokes, steal credentials from net browsers, and siphon information from Discord and Telegram. It is offered for $100 for a one-month license and $900 for a lifetime subscription.
The cybersecurity agency evaluation of Prynt Stealer exhibits that its codebase is derived from two different open supply malware households, AsyncRAT and StormKitty, with new additions included to incorporate a backdoor Telegram channel to gather the data stolen by different actors to the malware’s writer.
The code chargeable for Telegram information exfiltration is alleged to be copied from StormKitty, however for just a few minor adjustments.
Additionally included is an anti-analysis function that equips the malware to constantly monitor the sufferer’s course of record for processes resembling taskmgr, netstat, and wireshark, and if detected, block the Telegram command-and-control communication channels.
Whereas unhealthy actors have employed related information stealing ways previously the place the malware is given away without cost, the event marks one of many uncommon situations the place a stealer that is offered on a subscription foundation can also be sending the plundered info again to its developer.
“Observe that there are cracked/leaked copies of Prynt Stealer with the identical backdoor, which in flip will profit the malware writer even with out direct compensation,” the researchers stated.
Zscaler stated it recognized two extra variants of Prynt Stealer variants dubbed WorldWind and DarkEye written by the identical writer, the latter of which is bundled as an implant with a “free” Prynt Stealer builder.
The builder can also be designed to drop and execute a distant entry trojan referred to as Loda RAT, an AutoIT-based malware that is capable of entry and exfiltrate each system and person info, act as a keylogger, take screenshots, launch and terminate processes, and obtain further malware payloads by way of a connection to a C2 server.
“The free availability of supply code for quite a few malware households has made improvement simpler than ever for much less subtle menace actors,” the researchers concluded.
“The Prynt Stealer writer went a step additional and added a backdoor to steal from their prospects by hardcoding a Telegram token and chat ID into the malware. Because the saying goes, there isn’t any honor amongst thieves.”
