Printer Brand Procolored Accidentally Distributed Malware with Software
Recently, the printer manufacturer Procolored has made headlines due to a significant cybersecurity oversight. For approximately six months, the company inadvertently bundled malware with its official software suite, raising serious concerns about customer safety and product integrity.
Overview of Procolored’s Market Position
Procolored is well-established in the realms of UV printing, direct-to-garment (DTG), and direct-to-film (DTF) printing. The company’s products, which can cost several thousand dollars, primarily cater to small business owners. These individuals often seek to print merchandise such as shirts, stickers, and other apparel efficiently and at scale.
Emergence of Malware Reports
Reports regarding infected drivers from Procolored began surfacing in online communities, particularly on Reddit, earlier this year. However, the situation gained more visibility on May 13th, when YouTuber Cameron Coward, known for his channel Serial Hobbyism, published a review of a $7,000 Procolored printer on Hackster.io. During his testing, Coward encountered warnings from Windows Defender while attempting to download the necessary software. One of the packages was flagged for containing the Floxif virus, and another was identified as harboring a worm.
Investigation and Findings
Upon receiving these alerts, Coward sought clarification from Procolored’s support team, only to be informed that Windows Defender had generated a false positive. To further investigate, Coward partnered with third-party analysts, including Karsten Hahn, the Principal Malware Researcher at G DATA CyberDefense. Their findings revealed that 39 files available through Procolored’s Mega file distribution page were infected with two types of malware: XRedRAT and SnipVex.
Understanding the Malware
XRedRAT is recognized as a remote access trojan (RAT), allowing malicious actors to gain control over compromised systems. This malware can capture screen images, log keystrokes, and access file systems. Notably, the current variant of XRedRAT does not possess remote access capabilities, as its backend server was taken offline in February 2024, well ahead of Procolored’s software distribution.
SnipVex, on the other hand, represents a newer and more nefarious type of malware known as clipper malware. Once it infects a machine, SnipVex can alter cryptocurrency transactions by redirecting funds to a fraudulent Bitcoin address. To date, this address has reportedly received around 9.30 Bitcoin, valuing approximately $100,000, although the last transaction noted was on March 3rd, 2024.
Interestingly, while Coward encountered Floxif malware during his installation of software on a USB stick provided by Procolored, it was not found on their downloads page. This variance might suggest discrepancies in the versions of software executables involved.
Implications and Company Response
The presence of both XRedRAT and Floxif indicates severely lacking cybersecurity protocols within Procolored, according to Hahn. It is believed that the malware may have been transmitted via infected machines from which official software packages were uploaded. While there is currently no indication of deliberate action on Procolored’s part—after all, if intentional, the company would likely not use outdated malware—this issue raises critical questions about their cybersecurity processes.
On May 8th, Procolored removed its downloads page and launched an internal investigation. They have since acknowledged the unintentional distribution of malware, attributing the issue to possible viral contamination during the transfer process of software via USB drives. The downloads page was restored a few days later, and third-party analysts have confirmed that their software packages are now devoid of malicious content.
Moving Forward
Despite the remediation steps taken, customer confidence in Procolored remains shaky. The incident highlights a glaring failure to safeguard against fundamental cybersecurity threats, subsequently putting consumers at risk for nearly half a year. Furthermore, Coward’s review noted that he had contacted Procolored support multiple times for assistance, each time being urged to permit remote access to his system—a troubling request given the circumstances.
Recognizing the potential risks, it is advisable for Procolored customers, particularly those who purchased devices post-November 2024, to review their antivirus settings closely. Exceptions for applications like Visual C++ or PrintExp may indicate a risk of infection due to the compromised software.
While antivirus solutions should effectively remove XRedRAT and Floxif, SnipVex remains a recent and less understood threat that might still evade detection. As a precaution, affected users should consider formatting their drives and reinstalling their operating systems to eliminate any lingering risks. For further insights and recovery guidance, stakeholders can refer to Karsten Hahn’s analyses provided through G DATA Cybersecurity.
Procolored has been contacted for a formal statement regarding this issue and updates will be provided should a response be received.
