Researchers found a Telegram-based backdoor that was used to steal information from malware. It was dubbed Prynt Stealer by its developer. This program is designed to steal exfiltrated data from victims and then use it for their own purposes.
“While this untrustworthy behavior in cybercrime is not new, victims’ data end in the hands multiple threat actors, increasing risks of one or several large-scale attacks to follow,” Zscaler ThreatLabz researchers Atinderpal Singh, and Brett Stone Gross stated in a recent report.
Prynt Stealer was revealed earlier in April. It can log keystrokes and steal web browser credentials. You can also siphon data from Telegram and Discord.The price for a 1-month license is $100 and $900 for the lifetime subscription.
Prynt Stealer’s codebase was derived from two open-source malware families, AsyncRAT, and StormKitty. New additions were made to include a Telegram backdoor channel that allows other actors to steal the malware’s author’s information.
According to StormKitty, the code responsible for Telegram data exfiltration was copied but with minor modifications.
Anti-analysis features are also included. This allows the malware to monitor the victim’s process lists for processes like taskmgr and netstat and, if found, to block the Telegram command and control communication channels.
Although similar data theft tactics have been used by bad actors in the past, where malware was given away free of charge, this development is one of rare occasions when a stealer who is sold on a monthly basis is also sending the stolen information back to its creator.
Researchers stated that Prynt Stealer has been cracked or leaked with the same backdoor. This will in turn benefit the malware author, even without compensation.
Zscaler reported that it discovered two additional variants of Prynt Stealer, which go by the names WorldWind or DarkEye. They were written by the same author. The latter is packaged as an implant along with a “free” Prynt Stealer maker.
The builder can also be used to launch and terminate a remote access trojan called RAT. This AutoIT-based malware is able to access and exfiltrate user and system information, as well as take screenshots and launch and terminate processes.
Researchers concluded that “the free availability of source codes for many malware families has made it easier than ever to develop for less sophisticated threat actors.”
The Prynt Stealer author added a backdoor for their customers to steal by hardcoding a Telegram token as well as a chat ID into the malware.There is no honor between thieves, as the old saying goes.