When a YouTuber discovered malware infections in software for Procolored UV printers, an investigation revealed multiple malware threats embedded in official software downloads, including the XRed backdoor and a file-infector virus called SnipVex. The compromised software could spread infections through removable drives and network shares, affecting systems installing or using these printer drivers and utilities. #Procolored #XRed #SnipVex
Keypoints
- The official Procolored printer software downloads for six products hosted on mega.nz contained malicious files detected as Win32.Backdoor.XRedRAT.A and MSIL.Trojan-Stealer.CoinStealer.H (SnipVex virus).
- XRed backdoor capabilities include keylogging, file downloads, screenshots, remote shell execution, and file deletion, but its command-and-control server has been offline since February 2024.
- SnipVex is a .NET-based clipbanker virus that infects executable files by prepending itself and replacing Bitcoin addresses copied to the clipboard with the attacker’s address.
- Superinfection was present where the original clean PrintExp.exe was found infected by both XRed backdoor and SnipVex virus in the same file.
- The infection likely originated from USB drives or developer systems lacking adequate antivirus protection, causing the malware to spread within Procolored’s software releases.
- Procolored initially denied the infection but later removed the downloads, started internal malware scans, and committed to re-uploading only verified clean software.
- Users are advised to check antivirus exclusions and consider reformatting infected systems, as file infector viruses like SnipVex cause irreversible damage to executable files.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – XRed backdoor provides a cmd.exe shell for executing commands remotely (“…provides a cmd.exe shell if requested…”).
- [T1083] File and Directory Discovery – XRed allows listing directory or drive contents to explore the compromised system (“…can delete files and list directory or drive contents”).
- [T1056] Input Capture – XRed performs keylogging to capture user input (“…features keylogging…”).
- [T1119] Automated Collection – SnipVex monitors changes to .exe files on all logical drives to infect new hosts (“…monitors for any changes in files with .exe extension on all logical drives…”).
- [T1222] File and Directory Permissions Modification – SnipVex infects executables by prepending its body and adding markers to files (“…prepends itself to PrintExp.exe; applies infection marker sequence 0x0A 0x0B 0x0C…”).
- [T1082] System Information Discovery – XRed backdoor enumerates system information as part of its capabilities (“…available C2 commands include information gathering functions…”).
Indicators of Compromise
- [File Hashes] Malware samples in Procolored software packages – XRed backdoor: 531d08606455898408672d88513b8a1ac284fdf1fe011019770801b7b46d5434; SnipVex virus: 39df537aaefb0aa31019d053a61fabf93ba5f8f3934ad0d543cde6db1e8b35d1.
- [BTC Address] Cryptocurrency wallet for SnipVex attacker – 1BQZKqdp2CV3QV5nUEsqSg1ygegLmqRygj, linked to approx. 9.3 BTC received.
- [Registry Keys] Persistence mechanisms for SnipVex – HKEYCURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRunScdBcd and HKEYCURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRunClpBtcn.
- [File Paths] Infected executable and support files – Dibifu9vshost32.exe, Dibifu9IconExtractor.dll, Zgokr00.exe found in infected software repos.
- [URLs] Download links for infected software on mega.nz – e.g., hxxps://mega[.]nz/folder/TNAWTDKL#zR5Atn68a807Qn17FjXFxA and multiple others hosting infected sets.
Read more: https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads