Procolored Printer Drivers Spread Bitcoin Clipboard Malware in $950K Supply Chain Attack

In a stunning development, Chinese printer manufacturer Procolored faces backlash after allegedly distributing clipboard-hijacking Bitcoin malware through its official driver packages. This supply chain attack may have caused users to lose over $950,000 in stolen cryptocurrency.

A May 19 report from Landian News revealed that the Shenzhen-based company embedded malicious backdoor software into its USB printer drivers. Procolored then uploaded the infected files to cloud storage, making them globally available for download. Users who installed the drivers unknowingly exposed their systems to the malware.

This malware monitors clipboard activity. When users copy a Bitcoin (BTC) wallet address, such as during a transaction, the malware replaces it with an address controlled by the attacker, redirecting the funds without the user’s knowledge.

Cybersecurity firm SlowMist confirmed the threat in a post on X (formerly Twitter). They stated:

“The official driver provided by this printer carries a backdoor program. It hijacks the wallet address in the user’s clipboard and replaces it with the attacker’s address.”

As of now, the attacker has stolen over 9.3 BTC, worth approximately $953,000.

This incident illustrates the rising threat of supply chain attacks, particularly when they originate from trusted hardware vendors. It also serves as a critical reminder for cryptocurrency users to double-check wallet addresses before confirming any transaction, no matter how legitimate the source may seem.

• Create your free account now and trade crypto instantly on Nigeria’s most trusted exchange!

YouTuber Uncovers Malware in Procolored Drivers

Tech YouTuber Cameron Coward was the first to raise the alarm. While testing a Procolored UV printer, his antivirus software flagged the company’s official drivers as malicious. The scan detected a worm and a trojan, specifically named Foxif, hidden in the driver files.

Coward shared his discovery on Reddit, drawing attention from the cybersecurity community. Following his post, Landian News issued a public advisory. They urged anyone who had downloaded Procolored drivers in the past six months to run a full antivirus scan. However, experts cautioned that such scans are not always foolproof.

“When dealing with potential system compromise, take no risks. The safest approach is to reinstall your operating system and thoroughly examine any saved files,” the outlet recommended.

This case underscores the growing trend of malware being bundled with seemingly legitimate software, a tactic frequently used in sophisticated cyberattacks targeting supply chains.

Cybersecurity Firm Verifies Crypto-Stealing Malware in Procolored Software

Despite denying the accusations and calling antivirus alerts false positives, Procolored could not refute independent findings. After Coward’s Reddit post gained traction, German cybersecurity firm G DATA conducted its own investigation.

G DATA found that many of Procolored’s drivers were being distributed via the MEGA file-sharing platform, with uploads dating back to October 2023. Their analysis confirmed the presence of two distinct types of malware:

• A remote access trojan (Win32.Backdoor.XRedRAT.A)
  
• A clipboard hijacker designed to intercept cryptocurrency transactions
  

G DATA reached out to Procolored, which admitted the breach. The company said it had removed the compromised files on May 8 and re-scanned all driver packages. In their response, Procolored blamed a supply chain compromise, stating that infected USB drives introduced the malware before the files were uploaded online.

This incident reinforces the urgency of protecting digital supply chains and implementing rigorous security checks for all software deployments, especially when financial assets like cryptocurrency are involved.