Malware that steals Bitcoin discovered in official printer drivers

Malware Distributed with Printer Drivers

Recent reports indicate that a Chinese printer manufacturer has been distributing malware capable of stealing Bitcoin alongside its official drivers. According to China News Outlet Randian News, Procolored, which is situated in Shenzhen, has been using USB drivers to disseminate this software, uploading the compromised drivers to cloud storage for global distribution.

The breach has resulted in the theft of approximately 9.3 BTC, equating to over $953,000. Slow Mist, a company specializing in crypto-tracking and compliance, explained on May 19 how the malware operates:

“The official driver provided by this printer includes a backdoor program. It hijacks the wallet address of the user’s clipboard and replaces it with the address of the attacker.”

YouTube Users Raise Concerns

Landian News has urged anyone who downloaded the Procolored printer driver in the last six months to perform a complete system scan using antivirus software. However, if one is uncertain, a full system reset might be the safest route.

“Ideally, you should reinstall the operating system and thoroughly check the old files.”

The issue reportedly first surfaced through YouTuber Cameron Co-Sick, who detected malware during tests of the printer. Antivirus software identified a drive harboring a worm named Foxif and a Trojan virus.

Cybersecurity Investigations Underway

When approached for comment, Procolored dismissed the allegations, asserting that antivirus tools incorrectly flagged their drivers as malicious. Co-Sick shared his findings on Reddit, catching the attention of cybersecurity firm G-Data.

G-Data’s investigation revealed that many of Procolored’s drivers were hosted on the file service Mega, with uploads dating back to October 2023. Examination of these files confirmed the presence of two distinct types of malware.

Following G-Data’s outreach, Procolored removed the compromised driver from its storage on May 8 and conducted a re-scan of all files. The company contends that the malware likely entered through a supply chain breach, with infected USB devices leading to the malicious uploads.