Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a copy of victims' exfiltrated data when used by other cybercriminals.
"While this untrustworthy behavior is nothing new in the world of cybercrime, the victims' data end up in the hands of multiple threat actors, increasing the risks of one or more large scale attacks to follow," Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross said in a new report.
Prynt Stealer, which came to light earlier this April, comes with capabilities to log keystrokes, steal credentials from web browsers, and siphon data from Discord and Telegram. It's sold for $100 for a one-month license and $900 for a lifetime subscription.
The cybersecurity firm analysis of Prynt Stealer shows that its codebase is derived from two other open source malware families, AsyncRAT and StormKitty, with new additions incorporated to include a backdoor Telegram channel to collect the information stolen by other actors to the malware's author.
The code responsible for Telegram data exfiltration is said to be copied from StormKitty, but for a few minor changes.
Also included is an anti-analysis feature that equips the malware to continuously monitor the victim's process list for processes such as taskmgr, netstat, and wireshark, and if detected, block the Telegram command-and-control communication channels.
While bad actors have employed similar data stealing tactics in the past where the malware is given away for free, the development marks one of the rare instances where a stealer that's sold on a subscription basis is also sending the plundered information back to its developer.
"Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation," the researchers said.
Zscaler said it identified two more variants of Prynt Stealer that go by the names WorldWind and DarkEye and are written by the same author, the latter of which is bundled as an implant with a "free" Prynt Stealer builder.
The builder is also designed to drop and execute a remote access trojan called Loda RAT, an AutoIT-based malware that's able to access and exfiltrate both system and user information, act as a keylogger, take screenshots, launch and terminate processes, and download additional malware payloads via a connection to a C2 server.
"The free availability of source code for numerous malware families has made development easier than ever for less sophisticated threat actors," the researchers concluded.
"The Prynt Stealer author went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and chat ID into the malware. As the saying goes, there is no honor among thieves."