Category:
Malware Intelligence |
Type/Family:
Information Stealer |
Industry:
Multiple |
Region:
Global |
Executive Summary
THREAT |
IMPACT |
MITIGATION |
- Prynt Stealer operating on stealth mode to steal sensitive data & credentials from the victims’ systems, browsers, & crypto wallets.
|
- Sensitive data and credentials can be harvested.
- Harvested data could be used for carrying out financial fraud.
|
- Implement MFA using offline token generators.
- Implement a multi-signature approach for funds held on wallets.
|
Analysis and Attribution
Information from the Post
- On 15 August 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor sharing a GitHub link to the source code of the Prynt Stealer.
- Instructions for creating a bot on Telegram, to use the Prynt Stealer, have also been shared.
- The Prynt stealer is available on the marketplace at a price of USD 100 per month.
[caption id="attachment_21521" align="alignnone" width="2048"]
Threat actor’s post on the cybercrime forum[/caption]
Also Read YTStealer Harvesting YouTube Account Credentials
Features of the Malware
Delivery Mechanism
- It can be delivered via infected email attachments, malicious download links or files, online advertisements, and many other ways.
Functionality
- Prynt-Stealer functionality allows it to go on stealth mode and sensitive information from the system.
- The following information can be collected using Prynt stealer:
- Passwords, cookies, auto-fills, bookmarks, history, and credit cards.
- System and hardware information.
- Information from mail clients, FTP clients, etc.
- Credentials from browser-based crypto wallets.
- Clipper and Keyloggers.
- Credentials and logs from VPNs.
- The stealer has a built-in Prynt Crypter and a file spoofer which can spoof any file extension and track victims.
- It also offers a Crypto-Malware which can be used to send or receive victims’ cryptocurrency.
Working
- The stealer deletes the server allowing it to go into stealth mode making it difficult to find.
- It has a Microsoft Excel exploit built in along with a file pumper which boosts the file size to any specific size such as KB, MB, or GB.
- After buying the stealer, the buyer needs to go on telegram to create a bot using @BotFather.
- Once the bot is created, a telegram HTTP API token is received which is to be used in the builder of Prynt stealer.
- Next, the buyer needs to get a chat id from @id_chatbot and put the number into the builder.
- Once all the above steps are done, the stealer is ready to be delivered on the victims’ machine.
Services Targetted by the Stealer
Affected Programs/Extensions/Applications |
Browser |
Chrome |
Opera |
Yandex |
Brave |
Amigo |
CocCoc |
Privacy |
Edge |
Comodo |
CoolNovo |
SRWare |
Cent |
Elements |
Kometa |
Iron |
Torch |
Iridium |
7Star |
Chedot |
Epic |
Orbitum |
itrio |
Sputnik |
Vivaldi |
Coowon |
Liebao |
Sleipnir 6 |
QIP Surf |
Crypto Wallets |
Metamask |
Armory |
Atomic Wallet |
Bitcoin Core |
Byte-coin |
Jaxx |
Litecoin Core |
Monero |
Zcash |
Dash Core |
Doge-Coin |
Electrum |
Ethereum |
Exodus |
Documents |
pdf |
rtf |
doc |
docx |
indd |
json |
xlxs |
ppt |
pptx |
txt |
xls |
|
|
|
Databases |
db |
kdb |
sqlite |
dsk |
db4 |
mdb |
db3 |
kdbx |
mdf |
dbf |
sql |
ini |
|
|
Source Code |
c |
cs |
cpp |
asm |
css |
go |
sh |
py |
pyw |
html |
php |
js |
rb |
pl |
swift |
java |
kt |
ino |
|
|
|
Image |
jpeg |
jpg |
png |
bmp |
svg |
psd |
|
VPN |
Nord VPN |
Open VPN |
Proton VPN |
|
|
|
|
Messengers |
Discord |
Telegram |
Pidgin |
|
|
|
|
Gaming Applications |
Steam |
Minecraft |
Uplay |
|
|
|
|
Impact & Mitigation
Impact |
Mitigation |
- The stealer can harvest credentials and sensitive data from crypto wallets which are primarily browser-based.
- The sensitive data can be used to do financial fraud and target the victims by using the data.
|
- Implement multifactor authentication from an offline token generator like Google Authenticator.
- Implement a multi-signature approach for funds held on wallets.
|
References
Appendix
[caption id="attachment_21522" align="aligncenter" width="377"]
Prynt stealer available for USD 100[/caption]
[caption id="attachment_21523" align="alignnone" width="512"]
Telegram bot used to create a bot[/caption]