Chinese printer manufacturer Procolored distributed Bitcoin-stealing malware alongside its official drivers, according to local media reports.
Chinese news outlet Landian News reported on May 19 that Shenzhen-based printer company Procolored has been distributing Bitcoin-stealing (BTC) malware alongside official drivers. The company reportedly used USB drivers to distribute malware-ridden drivers and uploaded the compromised software to cloud storage for global download.
A total of 9.3 BTC worth over $953,000 have been stolen, according to the report. Crypto tracking and compliance firm Slow Mist described how the malware operates in a May 19 X post:
“The official driver provided by this printer carries a backdoor program. It will hijack the wallet address in the user’s clipboard and replace it with the attacker’s address.“
Related: Massive supply chain attack targeting small number of crypto companies: Kaspersky
YouTuber flags malware in Procolored drivers
Landian News recommended users who downloaded Procolored printer drivers in the past six months to “immediately perform a full system scan using antivirus software.” Still, given the hit or miss nature of antivirus software, a full system reset is always the better option when in doubt:
“Ideally, you should reinstall your operating system and thoroughly check old files.“
The issue was allegedly first reported by YouTuber Cameron Coward, whose antivirus software detected malware in the drivers while testing a Procolored UV printer. The software flagged the drive as containing a worm and a trojan virus named Foxif.
Related: Coinbase faces $400M bill after insider phishing attack
Cybersecurity company confirms crypto-stealing malware
When contacted, Procolored denied the claims and dismissed the antivirus tool flagging the drivers as a false positive. Coward turned to Reddit, where he shared the issue with cybersecurity professionals, attracting the attention of cybersecurity firm G-Data.
G-Data’s investigation found that most of Procolored’s drivers were hosted on the file hosting service MEGA, with uploads as old as October 2023. Analysis of those files confirmed that they were compromised by two distinct pieces of malware: backdoor Win32.Backdoor.XRedRAT.A and a crypto stealer designed to substitute addresses in the clipboard with those controlled by the attacker.
G-Data contacted Procolored, with the hardware producer saying it deleted the infected drivers from its storage on May 8 and re-scanned all files. Procolored attributed the malware to a supply chain compromise, stating that the malicious files were introduced through infected USB devices before being uploaded online.
Related: Crypto drainers as a service: What you need to know
