Prynt Stealer Source Code Shared over Cybercrime Forum

Prynt Stealer operating on stealth mode to steal sensitive data & credentials from the victims’ systems, browsers, & crypto wallets.
Updated on
April 19, 2023
Published on
November 2, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Malware Intelligence Type/Family: Information Stealer Industry: Multiple Region: Global

Executive Summary

THREAT IMPACT MITIGATION
  • Prynt Stealer operating on stealth mode to steal sensitive data & credentials from the victims’ systems, browsers, & crypto wallets.
  • Sensitive data and credentials can be harvested.
  • Harvested data could be used for carrying out financial fraud.
  • Implement MFA using offline token generators.
  • Implement a multi-signature approach for funds held on wallets.

Analysis and Attribution

Information from the Post

  • On 15 August 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor sharing a GitHub link to the source code of the Prynt Stealer.
  • Instructions for creating a bot on Telegram, to use the Prynt Stealer, have also been shared.
  • The Prynt stealer is available on the marketplace at a price of USD 100 per month.
[caption id="attachment_21521" align="alignnone" width="2048"]Threat actor’s post on the cybercrime forum Threat actor’s post on the cybercrime forum[/caption]  
Also Read YTStealer Harvesting YouTube Account Credentials

Features of the Malware

Delivery Mechanism

  • It can be delivered via infected email attachments, malicious download links or files, online advertisements, and many other ways.

Functionality

  • Prynt-Stealer functionality allows it to go on stealth mode and sensitive information from the system.
  • The following information can be collected using Prynt stealer:
    • Passwords, cookies, auto-fills, bookmarks, history, and credit cards.
    • System and hardware information.
    • Information from mail clients, FTP clients, etc.
    • Credentials from browser-based crypto wallets.
    • Clipper and Keyloggers.
    • Credentials and logs from VPNs.
  • The stealer has a built-in Prynt Crypter and a file spoofer which can spoof any file extension and track victims.
  • It also offers a Crypto-Malware which can be used to send or receive victims’ cryptocurrency.

Working

  • The stealer deletes the server allowing it to go into stealth mode making it difficult to find.
  • It has a Microsoft Excel exploit built in along with a file pumper which boosts the file size to any specific size such as KB, MB, or GB.
  • After buying the stealer, the buyer needs to go on telegram to create a bot using @BotFather.
  • Once the bot is created, a telegram HTTP API token is received which is to be used in the builder of Prynt stealer.
  • Next, the buyer needs to get a chat id from @id_chatbot and put the number into the builder.
  • Once all the above steps are done, the stealer is ready to be delivered on the victims’ machine.

Services Targetted by the Stealer

Affected Programs/Extensions/Applications
Browser Chrome Opera Yandex Brave Amigo CocCoc Privacy
Edge Comodo CoolNovo SRWare Cent Elements Kometa
Iron Torch Iridium 7Star Chedot Epic Orbitum
itrio Sputnik Vivaldi Coowon Liebao Sleipnir 6 QIP Surf
Crypto Wallets Metamask Armory Atomic Wallet Bitcoin Core Byte-coin Jaxx Litecoin Core
Monero Zcash Dash Core Doge-Coin Electrum Ethereum Exodus
Documents pdf rtf doc docx indd json xlxs
ppt pptx txt xls
Databases db kdb sqlite dsk db4 mdb db3
kdbx mdf dbf sql ini
Source Code c cs cpp asm css go sh
py pyw html php js rb pl
swift java kt ino
Image jpeg jpg png bmp svg psd
VPN Nord VPN Open VPN Proton VPN
Messengers Discord Telegram Pidgin
Gaming Applications Steam Minecraft Uplay

Impact & Mitigation

Impact Mitigation
  • The stealer can harvest credentials and sensitive data from crypto wallets which are primarily browser-based.
  • The sensitive data can be used to do financial fraud and target the victims by using the data.
  • Implement multifactor authentication from an offline token generator like Google Authenticator.
  • Implement a multi-signature approach for funds held on wallets.

References

Appendix

[caption id="attachment_21522" align="aligncenter" width="377"]Prynt stealer available for USD 100 Prynt stealer available for USD 100[/caption]   [caption id="attachment_21523" align="alignnone" width="512"]Telegram bot used to create a bot Telegram bot used to create a bot[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations