Zscaler researchers discovered Telegram channel-based backdoor in the information stealing malware, Prynt Stealer, which allows to secretly steal a copy of the data exfiltrated from the victims.
“Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with WorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.” reads the analysis published by Zscaler. “The backdoor sends copies of victims’ exfiltrated data gathered by other threat actors to a private Telegram chat monitored by the builder’s developers.”
This ugly surprise is not a novelty in the cybercrime landscape, in the past other malware was spotted to contain a secret backdoor.
Prynt Stealer is an information stealer that was first discovered in April, it allows its operators to harvest credentials from web browsers, VPN/FTP clients, as well as messaging and gaming applications.
Prynt Stealer is available for sale in the underground market for $100 for a one-month license and $900 for a lifetime subscription.
Prynt Stealer borrows the code responsible for sending information to Telegram from StormKitty with a few minor changes.
The experts pointed out that the info stealer does not use the anti-analysis code from either AsyncRAT or StormKitty. It creates a thread that invokes the function named processChecker to continuously monitor the victim’s process list for processes such as taskmgr, netmon, netstat, and wireshark. In case one of the monitored processes is detected, it blocks the Telegram command-and-control communication channels.
“The fact that all Prynt Stealer samples encountered by ThreatLabz had the same embedded telegram channel implies that this backdoor channel was deliberately planted by the author. Interestingly, the Prynt Stealer author is not only charging some clients for the malware, but also receiving all of the data that is stolen.” continues the analysis. “Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation.”
The researchers also spotted cracked/leaked copies of Prynt Stealer that were containing the same backdoor, this means that the malware author was able to obtain stolen data also from these copies.
Researchers discovered at least two more variants of the info-stealing malware dubbed WorldWind and DarkEye that were written by the same author. The experts noticed that DarkEye is not sold or mentioned publicly, however, it is bundled as a backdoor with a “free” Prynt Stealer builder.
The builder is backdoored with DarkEye Stealer and Loda RAT.
“The free availability of source code for numerous malware families has made development easier than ever for less sophisticated threat actors. As a result, there have been many new malware families created over the years that are based on popular open source malware projects like NjRat, AsyncRAT and QuasarRAT. The Prynt Stealer author went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and chat ID into the malware.” concludes the report.
(SecurityAffairs – hacking, backdoor)