{"id":677,"date":"2022-09-04T11:40:35","date_gmt":"2022-09-04T11:40:35","guid":{"rendered":"https:\/\/cybersecuritynest.com\/?p=677"},"modified":"2022-09-04T11:40:35","modified_gmt":"2022-09-04T11:40:35","slug":"prynt-stealer-has-a-backdoor-to-steal-victims-data-from-other-cybercriminals","status":"publish","type":"post","link":"https:\/\/cybersecuritynest.com\/?p=677","title":{"rendered":"Prynt Stealer Has a Backdoor to Steal Victims Data from Other Cybercriminals"},"content":{"rendered":"<aside class=\"mashsb-container mashsb-main mashsb-stretched\"><div class=\"mashsb-box\"><div class=\"mashsb-buttons\"><a class=\"mashicon-facebook mash-large mash-center mashsb-noshadow\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fcybersecuritynest.com%2F%3Fp%3D677\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Share&nbsp;on&nbsp;Facebook<\/span><\/a><a class=\"mashicon-twitter mash-large mash-center mashsb-noshadow\" href=\"https:\/\/twitter.com\/intent\/tweet?text=&amp;url=https:\/\/cybersecuritynest.com\/?p=677&amp;via=CYBERSECNEST\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Tweet&nbsp;on&nbsp;Twitter<\/span><\/a><a class=\"mashicon-subscribe mash-large mash-center mashsb-noshadow\" href=\"#\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Subscribe&nbsp;to&nbsp;Newsletter<\/span><\/a><div class=\"onoffswitch2 mash-large mashsb-noshadow\" style=\"display:none\"><\/div><\/div>\n            <\/div>\n                <div style=\"clear:both\"><\/div><\/aside>\n            <!-- Share buttons by mashshare.net - Version: 4.0.47--><p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"10\">Researchers found a Telegram-based backdoor that was used to steal information from malware. It was dubbed\u00a0<strong>Prynt Stealer<\/strong>\u00a0by its developer. This program is designed to steal exfiltrated data from victims and then use it for their own purposes.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"14\">&#8220;While this untrustworthy behavior in cybercrime is not new, victims&#8217; data end in the hands multiple threat actors, increasing risks of one or several large-scale attacks to follow,&#8221; Zscaler ThreatLabz researchers Atinderpal Singh, and Brett Stone Gross\u00a0<a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/no-honor-among-thieves-prynt-stealers-backdoor-exposed\">stated<\/a>\u00a0in a recent report.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"6\">Prynt Stealer was revealed\u00a0earlier in April. It can log keystrokes and steal web browser credentials. You can also siphon data from Telegram and Discord.<\/span>\u00a0<span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"1\">The price for a 1-month license is $100 and $900 for the lifetime subscription.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"13\">Prynt Stealer&#8217;s codebase was derived from two open-source malware families,\u00a0<a href=\"https:\/\/github.com\/NYAN-x-CAT\/AsyncRAT-C-Sharp\">AsyncRAT<\/a>, and\u00a0<a href=\"https:\/\/github.com\/swagkarna\/StormKitty\/\">StormKitty<\/a>. New additions were made to include a Telegram backdoor channel that allows other actors to steal the malware&#8217;s author&#8217;s information.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"2\">According to StormKitty, the code responsible for Telegram data exfiltration was copied but with minor modifications.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"8\">Anti-analysis features are also included. This allows the malware to monitor the victim&#8217;s process lists for processes like taskmgr and netstat and, if found, to block the Telegram command and control communication channels.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-678\" src=\"https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-04-at-12.36.52-300x190.png\" alt=\"\" width=\"300\" height=\"190\" srcset=\"https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-04-at-12.36.52-300x190.png 300w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-04-at-12.36.52-1024x650.png 1024w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-04-at-12.36.52-768x487.png 768w, https:\/\/cybersecuritynest.com\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-04-at-12.36.52.png 1526w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"9\">Although similar data theft tactics have been used by bad actors in the past, where malware was given away free of charge, this development is one of rare occasions when a stealer who is sold on a monthly basis is also sending the stolen information back to its creator.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"5\">Researchers stated that Prynt Stealer has been cracked or leaked with the same backdoor. This will in turn benefit the malware author, even without compensation.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"12\">Zscaler reported that it discovered two additional variants of Prynt Stealer, which go by the names WorldWind or DarkEye. They were written by the same author. The latter is packaged as an implant along with a &#8220;free\u201d Prynt Stealer maker.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"11\">The builder can also be used to launch and terminate a remote access trojan called\u00a0RAT. This AutoIT-based malware is able to access and exfiltrate user and system information, as well as take screenshots and launch and terminate processes.<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"4\">Researchers concluded that &#8220;the free availability of source codes for many malware families has made it easier than ever to develop for less sophisticated threat actors.&#8221;<\/span><\/p>\n<p><span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"7\">The Prynt Stealer author added a backdoor for their customers to steal by hardcoding a Telegram token as well as a chat ID into the malware.<\/span>\u00a0<span class=\"wordai-block rewrite-block enable-highlight\" data-id=\"3\">There is no honor between thieves, as the old saying goes.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h1><\/h1>\n<h1><\/h1>\n<aside class=\"mashsb-container mashsb-main mashsb-stretched\"><div class=\"mashsb-box\"><div class=\"mashsb-buttons\"><a class=\"mashicon-facebook mash-large mash-center mashsb-noshadow\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fcybersecuritynest.com%2F%3Fp%3D677\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Share&nbsp;on&nbsp;Facebook<\/span><\/a><a class=\"mashicon-twitter mash-large mash-center mashsb-noshadow\" href=\"https:\/\/twitter.com\/intent\/tweet?text=&amp;url=https:\/\/cybersecuritynest.com\/?p=677&amp;via=CYBERSECNEST\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Tweet&nbsp;on&nbsp;Twitter<\/span><\/a><a class=\"mashicon-subscribe mash-large mash-center mashsb-noshadow\" href=\"#\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Subscribe&nbsp;to&nbsp;Newsletter<\/span><\/a><div class=\"onoffswitch2 mash-large mashsb-noshadow\" style=\"display:none\"><\/div><\/div>\n            <\/div>\n                <div style=\"clear:both\"><\/div><\/aside>\n            <!-- Share buttons by mashshare.net - Version: 4.0.47-->","protected":false},"excerpt":{"rendered":"<p>Researchers found a Telegram-based backdoor that was used to steal information from malware. It was dubbed\u00a0Prynt Stealer\u00a0by its developer. This program is designed to steal exfiltrated data from victims and then use it for their own purposes. &#8220;While this untrustworthy behavior in cybercrime is not new, victims&#8217; data end in the hands multiple threat actors, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":679,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[10],"tags":[],"class_list":["post-677","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vul-mal"],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/677"}],"collection":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=677"}],"version-history":[{"count":1,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/677\/revisions"}],"predecessor-version":[{"id":680,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/677\/revisions\/680"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/media\/679"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}