For at least half a year, the official software supplied with Procolored printers included malware in the form of a remote access trojan and a cryptocurrency stealer.
Procolored is a digital printing solutions provider making Direct-to-Film (DTF), UV DTF, UV, and Direct-to-Garment (DTG) printers. It is particularly known for affordable and efficient fabric printing solutions.
The Shenzhen-based company has grown quickly since it started in 2018, and is now selling its products in over 31 countries, with a significant operational presence in the United States.
Cameron Coward, a YouTuber known as Serial Hobbyism, discovered the malware when his security solution warned of the presence of the Floxif USB worm on his computer when installing the companion software and drivers for a $7,000 Procolored UV printer.
An analysis conducted by researchers at cybersecurity company G Data, Procolored’s official software packages delivered the malware for at least six months.
Discovering RATs and coin stealers
After getting the threat alerts on his machine, Coward contacted Procolored, who denied shipping malware in their software, pointing to the security solution generating false positives.
“If I try to download the files from their website or unzip the files on the USB drive they gave me, my computer immediately quarantines them,” the YouTuber said.
Perplexed by the situation, the YouTuber turned to Reddit for help with malware analysis before he could confidently make allegations in his review of the Procolored V11 Pro product.
G Data researcher Karsten Hahn offered to investigate, finding that at least six printer models (F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro) with accompanying software hosted on the Mega file sharing platform that included contained malware.
Procolored uses the Mega service to host the software resources for its printers, and offers a direct link to them from the support section of the official website.
Source: G Data
The analyst found 39 files infected with:
- XRedRAT – Known malware previously analyzed by eSentire. Its capabilities include keylogging, screenshot capturing, remote shell access, and file manipulation. Hardcoded C2 URLs matched older samples.
- SnipVex – A previously undocumented clipper malware that infects .EXE files, attaches to them, and replaces clipboard BTC addresses. Detected in multiple download files. Likely infected Procolored developer systems or build machines.
Since the files were last updated in October 2024, it can be assumed that the malware was shipped with Procolored software for at least six months.
Source: G Data
Hahn says the address SnipVex uses to offload stolen cryptocurrency has received about 9.308 BTC, which is worth nearly $1 million at today’s exchange rate.
Despite Procolored’s initial denial, the software packages were taken down on May 8 and an internal investigation was launched.
When G Data asked the printer vendor for an explanation, Procolored admitted that they had uploaded the files to Mega.nz using a USB drive that could have been infected by Floxif.
“As a precaution, all software has been temporarily removed from the Procolored official website,” explained Procolored to G Data.
“We are conducting a comprehensive malware scan of every file. Only after passing stringent virus and security checks will the software be re-uploaded.”
G Data received the clean software packages and confirmed they’re safe to use.
Procolored customers are recommended to replace the old software with the new versions and to perform a system scan to remove XRedRAT and SnipVex.
Given that SnipVex performs binary alterations, a deeper cleaning of the system is recommended to ensure all files are clean.
BleepingComputer has contacted Procolored for a comment on the situation and whether they informed their customers of the risk but we have yet to receive a response.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
