A Telegram channel-based backdoor has been discovered in Prynt Stealer, which secretly steals a copy of the data stolen from other cybercriminals. The backdoor exists in every copy and variant of malware families developed using Prynt Stealer builder.
Diving into the secret backdoor
Researchers from Zscaler disclosed that the developer of Prynt Stealer builder added a backdoor Telegram channel with the malware code.
The backdoor code sends copies of stolen data of other attackers to a private Telegram chat controlled by the builder's developers.
Further, researchers spotted cracked or leaked copies of Prynt Stealer available on several Telegram Channels for free, which had the same backdoor.
The presence of the same embedded Telegram channel across all malware variants revealed that the malware author is not only charging some of their their clients for the malware use but also receiving the stolen data.
The malware’s source code seems to have been directly copied and pasted from multiple repositories.
The main code for sending information to Telegram is copied from StormKitty, with some minor changes.
The author further added two new fields to the AsyncRAT configuration codebase for stealing data using Telegram.
Prynt Stealer does not use the anti-analysis code from either AsyncRAT or StormKitty. It has developed its own technique.
Prynt Stealer builder is backdoored with DarkEye Stealer and Loda RAT.
Researchers spotted at least two more variants of the stealers WorldWind and DarkEye written by the same author.
DarkEye is not sold publicly, yet it comes bundled as a backdoor with a free Prynt Stealer builder.
The free availability of malware source code has made it easier for malware authors to enhance their malware or build a new one. However, Prynt Stealer's author tried to outsmart other cybercriminals by trying to steal from them via a backdoor. You, as a user, stay vigilant and avoid any malpractice that makes the job of such cybercriminals easier.