Researchers have found a new malware in the wild targeting users’ information. Dubbed as “Prynt”, the stealer malware exhibits multiple functionalities, including those of a keylogger and clipper.
About Prynt Stealer Malware
As elaborated in a recent report from Cyble, the “Prynt” stealer malware surfaces online as a new cyber threat. The malware exhibits numerous malicious capabilities to execute different operations as intended by the threat actors.
Presently, the malware is making rounds in the underground marketplaces where the authors are selling it for $100/month only. The sellers also lure customers by claiming that the malware is “fully undetectable” (FUD). This claim shows that the malware is a new player that remains undetected by the existing antimalware programs.
Technical analysis of the malware shows it as a .NET-based malware featuring obfuscated strings via AES256 and Rijndael encryption algorithm.
In brief, an obfuscated binary string is encoded via rot13 cipher. The malware doesn’t opt to drop a payload; instead, it executes it directly in the memory using AppDomain.CurrentDomain.Load() method. It then uses the ServicePointManager to communicate with the C&C via an encrypted channel.
Upon establishing itself on the target device, the malware creates a hidden directory in the AppData folder. It then creates several subfolders to store data stolen from the machine. Next, it scans the systems for all connected drives, including the removable ones, and steals information from them.
Range of Target Information To Steal
The target information includes multiple details, as evident from the range of file formats on its target list. Hence, it aims at document files, databases, source codes, and image files. Besides, it also scans browsers for exfiltrating stored data, having multiple browsers on its target list. This activity shows how the malware aims at stealing users’ login credentials, payment details, and cookies.
And its activity doesn’t there. Instead, Prynt also targets messaging apps like Discord, Telegram, and Pidgin. In addition, it scans the infected machines for games, crypto wallets, FTP files, and device identifier details. Ironically, it also aims at stealing configuration files of popular VPNs, including NordVPN, ProtonVPN, and OpenVPN.
Even worse, the malware scans and steals the Windows activation key from the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion” location.
After stealing all the desired data, the malware compresses the respective folder. Then, it sends it over to the Telegram bot, which further sends it to the C&C via an encrypted network connection.
Keylogger And Clipper Functionalities
Apart from the info-stealing functionalities, Prynt also serves as a powerful clipper (stealing information from clipboard) and keylogger.
Plus, it also employs evasive capabilities regarding antimalware detection, thus becoming destructive malware.
While Prynt is a new malware currently not active, its dangerous capabilities make it a lucrative opportunity for criminal hackers to execute large-scale malicious campaigns. Hence, the researchers warn the users to remain cautious and avoid the common malware-spreading routes, such as downloading cracked software, torrenting, etc.