Telegram channel used for attacks
Zscaler experts have found a Telegram channel-based backdoor in the info-stealing malware, which lets threat actors steal (secretly) a copy of the information extracted from the targets, it includes a secret backdoor in the code that gets in every variant and derivative copies of these malware strains.
The backdoor sends copies of victims’ stolen data gathered by other hackers to a private telegram chat monitored by the builder’s developers.
The unfortunate surprise isn’t a novelty in the cybercrime landscape, earlier other malware were found to have a secret backdoor.
What is Prynt Stealer?
Prynt Stealer is an info stealer that was found in April, it lets its operators extract credentials from web browsers, FTP/VPN clients, and messaging and gaming apps.
The malware is based on open-source projects, this includes AsynRAT and StormKitty, and it extracts data stolen from victims via a Telegram channel.
Prynt Stealer can be purchased in the underground market for $100 for a one-month licence and a lifetime subscription worth $900.
How does the attack work?
Prynt Stealer has a code that is responsible for sending information to Telegram from StormKitty with a few trivial changes. Experts add that the info stealer avoids using anti-analysis code from either StormKitty or AsyncRAT.
It makes a thread that activates the function called processChecker to constantly monitor the target’s process list for activities like taskmgr, netstat, netmon, and wireshark.
If any monitored processes are found, it bans the Telegram C2 (Command and Control) communication channels.
Zscaler report says:
“The fact that all Prynt Stealer samples encountered by ThreatLabz had the same embedded telegram channel implies that this backdoor channel was deliberately planted by the author. Interestingly, the Prynt Stealer author is not only charging some clients for the malware, but also receiving all of the data that is stolen.”
Leaked copies used for attack
“Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation.”
The experts also noticed leaked/cracked copies of Prynt Stealer that contained the same backdoor, which suggests that the malware author was able to get stolen data from these copies.
Experts also found two more versions of the info-stealing malware named WorldWind and DarkEye that were written by the same author.
What is DarkEye?
The experts observed that DarkEye is not mentioned or sold openly, but it is wrapped as a backdoor with a “free” Prynt Stealer builder. Threat actors use the backdoor with LodaRat and DarkEye stealer.
The report concludes:
“the free availability of source code for numerous malware families has made development easier than ever for less sophisticated threat actors. As a result, there have been many new malware families created over the years that are based on popular open-source malware projects like NjRat, AsyncRAT, and QuasarRAT. The Prynt Stealer author went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and chat ID into the malware.”
Read the full article here