The Prynt Stealer malware contains a secret backdoor. Scammers steal data from other cybercriminalsSecurity Affairs

The Prynt Stealer information-stealing malware contains a backdoor that can steal the data it has infiltrated from victims.

Zscaler researchers discovered a backdoor based on the Telegram channel in the info-stealing malware, Prynt Thiefwhich secretly steals a copy of the exfiltrated data from the victims.

“Zscaler ThreatLabz researchers have discovered that the Prynt Stealer builder, also attributed to WorldWind, and DarkEye, has a secret backdoor in the code that is found in every derivative copy and variant of these malware families.” reads the analysis published by Zscaler. “The backdoor sends copies of exfiltrated victim data collected by other threat actors to a private Telegram chat monitored by the builder’s developers.”

This nasty surprise is nothing new in the cybercrime landscape, in the past other malware has been spotted to contain a secret backdoor.

Prynt Stealer is an information stealer who was first discovered in April. It allows its operators to harvest credentials from web browsers, VPN/FTP clients, as well as messaging and gaming applications.

The malware is based on open source projects, including AsyncRAT and StormKittyand it exfiltrates data stolen from victims through a Telegram channel.

Prynt Stealer is available for sale in the underground market for $100 for a one-month license and $900 for a lifetime subscription.

Prynt Thief

Prynt Stealer borrows the code responsible for sending information to Telegram from StormKitty with some minor changes.

Experts pointed out that the information stealer does not use anti-analysis code from AsyncRAT or StormKitty. It creates a thread that invokes the function named ProcessChecker to continuously monitor the victim’s process list for processes such as taskmgr, netmon, netstat, and wireshark. If one of the monitored processes is detected, it blocks the Telegram command and control communication channels.

“The fact that all Prynt Stealer samples encountered by ThreatLabz have the same telegram channel embedded implies that this backdoor channel was deliberately planted by the author. Interestingly, the author of Prynt Stealer not only charges some customers for the malware, but also receives all the stolen data. continues the analysis.” Note that there are pirated/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the author of the software malicious, even without direct compensation.”

Researchers also spotted cracked/leaked copies of Prynt Stealer that contained the same backdoor, meaning the malware author was also able to obtain stolen data from these copies.

Researchers have discovered at least two other variants of the information-stealing malware called WorldWind and DarkEye which were written by the same author. Experts noticed that DarkEye is not publicly sold or mentioned, however, it is provided as a backdoor with a “free” Prynt Stealer builder.

The builder is backdoored with DarkEye Stealer and Loda RAT.

“The free availability of source code for many malware families has made development easier than ever for less sophisticated cybercriminals. As a result, many new malware families have been created over the years, based on popular open source malware projects such as NjRat, AsyncRAT and QuasarRAT. The Prynt Stealer author went a step further and added a backdoor to steal his customers by hard-coding a Telegram token and chat ID into the malware. concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, backdoor)

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button