- A Chinese printer maker was serving malware with software installations for half a year
- The malware included backdoors and crypto stealers
- Almost 10 BTC was stolen
Procolored, a major Chinese printer manufacturer, has been inadvertently infecting its customers with backdoors, infostealers, and cryptocurrency stealers - for six months. This is according to cybersecurity researchers G Data, who were tipped off about the supply chain attack by a YouTube content creator, Cameron Coward.
Apparently, Coward wanted to review one of Procolored’s printers and, after trying to install the accompanying software from a USB stick, was alerted to the presence of the Floxif worm. He reached out to the company who dismissed the warning as a false positive. Unsatisfied with the answer, Coward turned to Reddit, where his thread was picked up by G Data’s researchers.
The team found six of the company’s product lines infected with malware: F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro. They also determined that the last update of the software was made in October 2024, which means the company was deploying malware for at least half a year before being spotted.
Tens of unique variants
In total, the researchers found 39 malware detections in 20 uniquely hashed executables. There were RATs, trojans, clipboard stealers, and cryptocurrency stealers. One of the wallets allegedly belonging to the attackers received almost 10 BTC, which means the attackers raked in almost a million dollars with just one piece of malware.
It was also said that some of the command-and-control (C2) infrastructure was inactive since early 2024, while the BTC wallet hasn’t been active since March the same year. This could signal that the threat actors moved to other things, which could mean the threat isn’t as pronounced today.
Procolored is a leader in the digital textile printing industry, according to Cyberinsider. The company’s hardware is used in small-scale manufacturing and creative industries, the publication claims, adding that its presence “sent ripples” through the tech and maker communities.
As of May 8, all software was removed from Procolored’s website, and an investigation was launched. The company told G Data that its systems were most likely compromised as well.
Via BleepingComputer
You might also like
- Microsoft says Russian hackers are exploiting an ancient printer security flaw
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
