Contaminated drivers: Printer manufacturers infected customer PCs for months

A Youtuber discovered malware in the official driver software for an expensive UV printer from Procolored. The manufacturer distributed malware for months via his website. The malware captured cryptocurrency worth 90,000 euros.

Beware of printer drivers

Malware is a serious problem. After a corresponding attack, a South Korean network operator had to exchange 25 million SIM cards. Computer users also recently warned the BSI of so-called fake captcha, the systems also infect with malware. It is not too surprising that malware is moving by downloading and installing windy programs, such as free file converter offered.

What has now happened to the customers of a printer manufacturer came unexpectedly. The owner of a Procolored printer, in particular the UV models, should urgently check their systems for malware. Because the printer manufacturer, which specializes in inkjet printers for textile and advertising prints, has distributed harmful software over its download channels in the past six months. The malware is in the official drivers for the devices.

The Youtuber Cameron Coward made the discovery from the channel “Serial hobbyism”. When checking a $ 6,000 UV printer, his antivirus program made an alarm. There was a USB worm and a FLOXIF fileVirus on the supplied USB stick. When Coward contacted the manufacturer Procolored, he did the warnings as false alarms. However, Coward continued to do the matter and had the suspicious software from Malware expert Karsten Hahn analyzed. The results were clear: the driver software was actually infected with dangerous malware.

Dangerous malware discovered

Hahn identified two main threats in the software:

The backdoor “Win32.Backdoor.xredrat.a”
The crypto die “msil.trojan-stealer.coinstealer.h”

A backdoor trojan is comparable to a back door that gives attackers secret access to the computer. The crypto thief, on the other hand, specializes in stealing digital currencies such as Bitcoin from infected computers. This type of malware searches for cryptocurrency wallets on the computer and forwards the digital assets stored in it to the hackers.

While the backdoor was already ineffective by an offline control server, the crypto thief, known as “Snipvex”, remained a serious threat from his ability to infect files. When examining the publicly accessible software downloads on the Mega.NZ platform, which were last updated in October 2024, the malware contamination not only confirmed on Cowards USB stick, but also in the official downloads for further printer models.

How did the malware get into the driver?

According to the detailed examination results, Procolored granted the incident. The company said that the software had initially been transferred via USB drives, with a virus possibly being introduced. In addition, it was pointed out that the standard Chinese Printexp software could be incorrectly classified by some international operating systems as malignant. It is particularly problematic that many users configure antivirus programs in such a way that they trust manufacturer software.

As a result, the malware was able to remain undetected for months and is said to have already captured cryptocurrencies worth around 90,000 euros. Experts suspect that the infection chain began with a supplier or through a compromised developer computer. Procolored has now removed all infected software downloads from its website and carries out comprehensive scans. New, adjusted software packages have already been provided and confirmed by G Data as safe.