Zscaler ThreatLabz reveals that Prynt Stealer’s builder contains a secret backdoor that exfiltrates victims’ data to a private Telegram chat watched by the builder’s developers, and that Prynt Stealer, WorldWind, and DarkEye are nearly identical variants. The backdoor and Telegram-based channeling enable multiple threat actors to access stolen data, increasing the likelihood of large-scale future attacks. Hashtags: #PryntStealer #WorldWind #DarkEye #AsyncRAT #StormKitty #LodaRAT #Telegram
Keypoints
- Prynt Stealer is a .NET information stealer whose code derives from open-source projects AsyncRAT and StormKitty.
- The malware embeds a backdoor that sends copies of exfiltrated data to a private Telegram chat monitored by the builder’s developers.
- Two other threat families, WorldWind and DarkEye, are near-identical to Prynt Stealer, sharing much of the same codebase.
- The infection chain includes a builder and loader that ultimately deliver DarkEye Stealer; Telegram tokens and chats are used for data collection.
- Prynt Stealer includes anti-detection logic that monitors processes and can block Telegram C2 when security tools are detected.
- The malware uses Telegram for data exfiltration and command distribution via a dedicated Telegram channel and getUpdates API.
- There is notable distribution activity, including free/cracked copies and a backdoored builder that can harvest and relay logs to multiple actors.
MITRE Techniques
- [T1041] Exfiltration Over C2 Channel – The backdoor sends copies of victims’ exfiltrated data gathered by other threat actors to a private Telegram chat monitored by the builder’s developers. [‘The backdoor sends copies of victims’ exfiltrated data gathered by other threat actors to a private Telegram chat monitored by the builder’s developers.’]
- [T1071.001] Web Protocols – Prynt Stealer uses Telegram to exfiltrate data that is stolen from victims. [‘Prynt Stealer uses Telegram to exfiltrate data that is stolen from victims.’]
- [T1105] Ingress Tool Transfer – The Prynt Stealer loader downloads the payload from a hardcoded URL and runs the payload. [‘The downloaded payload is DarkEye Stealer, a variant of Prynt Stealer.’]
- [T1053] Windows Task Scheduling – Persist using task creation (e.g., “Chrome Update”). [‘Persist using task creation (e.g., “Chrome Update”).’]
- [T1107] File Deletion – Self delete using a .bat file. [‘Self delete using a .bat file.’]
- [T1562.001] Impair Defenses – The malware creates a processChecker thread to monitor the victim’s process list and blocks Telegram C2 when tools are detected. [‘Prynt Stealer creates a thread that will monitor the victim’s process list. If any of the following processes are detected, the malware will block the Telegram C&C communication channels.’]
- [T1555.003] Credentials In Files – Stealing information includes credentials stored on the system from browsers, VPN/FTP clients, and messaging/gaming apps. [‘Stealing information is fundamental to cybercriminals today to scope and gain access to systems… capture credentials that are stored on a compromised system including web browsers, VPN/FTP clients, as well as messaging and gaming applications.’]
Indicators of Compromise
- [SHA256] Prynt Stealer IOCs – d8469e32afc3499a04f9bcb0ca34fde63140c3b872c41e898f4e31f2a7c1f61f, f15e92c34dd8adfcd471d726e88292d6698217f05f1d2bcce8193eb2536f817c, and 8 more hashes
- [Telegram Token] – 1119746739:AAGMhvpUjXI4CzIfizRC–VXilxnkJlhaf8, 1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug
- [Telegram Chat ID] – 1096425866, 1937717367
- [URL] – https://cdn.discordapp.com/attachments/523238636561629190/890007970207907871/vltn.exe, bigdaddy-service.biz:6606, and 2 more URLs