Should you personal a printer from China-based Procolored, be careful: The corporate’s driver information are stuffed with malware, together with a Home windows-based backdoor.
Karsten Hahn, a researcher at cybersecurity vendor G Information, reported the findings on Thursday. “A printer firm offered contaminated printer software program for half a 12 months,” he stated.
Hahn started investigating after YouTuber Cameron Coward at Serial Hobbyism obtained a printer from Procolored, a supplier of direct-to-film printers, which can be utilized for creating customized T-shirts. Whereas testing the printer for a assessment, the built-in antivirus Home windows Defender and Google’s Chrome browser alerted him of malware threats on his PC.
His laptop had been hit with Floxif, a strong malware that may change Home windows executables and set up different malicious code. It may possibly additionally unfold itself via linked USB drives. Coward’s PC obtained the malware alert after putting in software program from a ZIP folder on the “USB thumb drive Procolored equipped with the printer.”
Though Procolored, a Shenzhen-based firm, claimed the malware alerts have been false-positives, Coward posted a name on Reddit for a third-party safety researcher to double-check. Hahn at G Information started investigating and traced the menace to the printer driver information hosted on Procolored’s web site.
(Credit score: Mega.nz/Procolored)
Surprisingly, Procolored continues to host the printer driver information for six merchandise on a third-party Mega.nz file sharing account. Hahn’s antivirus scan discovered that 39 of the information triggered two malware detections: One for a cryptocurrency pockets stealer, the opposite a backdoor for Home windows PCs dubbed XRed.
Get Our Finest Tales!
By clicking Signal Me Up, you affirm you might be 16+ and conform to our Phrases of Use and Privateness Coverage.
Thanks for signing up!
Your subscription has been confirmed. Control your inbox!
Hahn estimates the malicious driver information have been circulating for half a 12 months as a result of the Mega.nz listing reveals lots of the information have been final up to date about six months in the past. His investigation additionally uncovered proof that driver information had been initially tampered with on a system that had been “contaminated a number of occasions” with totally different sorts of malware, which could clarify why Hahn’s PC encountered the Floxif an infection.
Procolored didn’t instantly reply to a request for remark. However the firm advised Hahn that it suspects the drivers information have been tampered with via an contaminated USB drive. “The software program hosted on our web site was initially transferred by way of USB drives. It’s doable {that a} virus was launched throughout this course of,” Procolored stated.
“As a precaution, all software program has been briefly faraway from the Procolored official web site,” the corporate added. “We’re conducting a complete malware scan of each file. Solely after passing stringent virus and safety checks will the software program be re-uploaded. This can be a prime precedence for us, and we’re taking it very critically.”
Advisable by Our Editors
The assertion additionally notes that Procolored plans on disclosing the incident to prospects and updating its web site “as soon as all software program has been completely reviewed and confirmed protected.” Hahn says he’s obtained copies of the brand new driver information and stories they look like clear.
Some may speculate that Procolored intentionally planted the malware. However in his weblog publish, Hahn wrote, “a much more believable rationalization factors to the absence or failure of antivirus scanning on the techniques used to compile and distribute the software program packages.” That is as a result of the command-and-control server for the backdoor malware XRed seems to have been offline since February 2024, lowering the menace’s severity.
Within the meantime, Hahn recommends affected customers contemplate reinstalling the Home windows OS to totally wipe out the menace. “It’s doable that some customers have dismissed antivirus warnings, assuming the information have been protected. This might have allowed the malware to stay undetected,” he stated.
About Michael Kan
Senior Reporter
Learn the newest from Michael Kan
