If you own a Procolored inkjet printer, particularly one of the UV models, you might want to check your system for malware, especially if you downloaded the companion software within the past six months, since Procolored was recently found to be distributing malicious software.

The first alarm came from Cameron Coward, the creator behind the YouTube channel "Serial Hobbyism." Known for his DIY electronics and tech reviews, Coward was in the middle of reviewing a $6,000 Procolored UV printer and attempting to install its companion software from the included USB drive when his antivirus flagged malware. The threats identified were a USB-spreading worm and a Floxif file infector. When Coward reported the issue to Procolored, the company initially dismissed it as a case of false positives.

Still unconvinced by Procolored's assurances, Coward turned to Reddit in search of expert insight. That post caught the attention of cybersecurity firm G Data, which decided to investigate further. One of their analysts examined Procolored's publicly available software downloads, hosted on mega.nz, and mostly last updated around October 2023.

The investigation confirmed the presence of malware not just on Coward's USB drive but also within official downloads for several printer models. G Data identified two main threats: Win32.Backdoor.XRedRAT.A, a Delphi-based backdoor, and MSIL.Trojan-Stealer.CoinStealer.H, a cryptocurrency stealer written in .NET. Although Floxif didn't appear in the website downloads G Data reviewed, its presence on Coward's USB points to the possibility of a more compromised environment at some earlier stage.

According to G Data, citing an earlier analysis by eSentire, the XRedRAT backdoor is an older strain of malware, and its command and control server URLs were reportedly already offline when eSentire documented them in February 2024. This particular instance also seemed to have been inactive since at least that time. The coin stealer, named "SnipVex" by G Data, is a particularly troublesome threat. It operates as a clipbanker, swapping copied cryptocurrency addresses with one controlled by the attacker, and also functions as a file infector by attaching itself to executable files. Here's the code responsible for replacing Bitcoin addresses in the clipboard with the attacker's:

G Data's research showed that the Bitcoin address linked to SnipVex had received about 9.3 BTC, roughly $100,000, before activity stopped on March 3, 2024. The widespread infection found across Procolored's downloadable files means it's plausible that the malware spread through a developer's workstation or the company's build servers.

After G Data presented its detailed findings, Procolored offered a more substantial response than its initial denial to Coward. The company stated:

The software hosted on our website was initially transferred via USB drives. It is possible that a virus was introduced during this process. Additionally, as the PrintEXP software is in Chinese by default, some international operating systems may incorrectly flag or misinterpret it as malicious, especially if the system does not handle non-English programs well.

Procolored also mentioned that it had temporarily removed all software from its website around May 8th, 2024, for comprehensive scanning and that new, clean software packages were being provided, a claim G Data confirmed by checking the new files.

For customers who might have been affected, G Data recommends checking for any antivirus exclusions made for the printer software, as official vendor software is often trusted implicitly. Because file infectors like Floxif and SnipVex can extensively damage system files, the cybersecurity firm advises that the safest course of action is often a full reformat of all drives and a fresh operating system installation.

Although the XRedRAT backdoor was likely rendered ineffective by its offline command and control server, SnipVex remained a serious concern thanks to its ability to infect files, even though it had stopped siphoning Bitcoin. G Data found no evidence that Procolored had intentionally distributed the malware, and the company has since pledged to improve its internal processes. If you're curious, Coward's review of the Procolored UV printer is available on Hackster.io.