An underground info-stealer also stole from its buyers – if you want to call stealing stolen data stealing.
As part of the professionalization of the cybercrime underground, there is also an increasing number of commercial malware offerings. Infostealers, who specialize in harvesting infected computers, are a growing line of business: passwords, hashes, cookies, credit card data, crypto wallets, documents – in short, everything that can somehow be monetized is systematically collected by such a malicious program and send it to its owner. And often to other criminals as well.
The core of the Prynt Stealer relies on open source projects such as StormKitty, which take on the task of tracking down and collecting the information. The actual added value of the commercial product consists above all in what is known as “undetected”, which hides the malware from the eyes of virus monitors. Since their manufacturers are constantly adapting their signatures, this requires regular updates. Cybercriminals who don’t want to take care of it themselves are happy to buy this service for around $100 a month (payable in Bitcoin, of course).
In addition, Prynt provides a graphical interface builder to customize the functionality of the purchased product. In particular, buyers set where their version of Prynt should deliver the stolen data. But as Zscaler has now discovered, the info-stealer always secretly copies the data into a Telegram channel, which the Prynt developer presumably evaluates for his own purposes. Certainly only “in the interests of its customers for performance optimization and error elimination” – as regular software and service providers like to claim when they are caught monitoring or stealing from their customers.
Pay or not?
In addition to the gloating, the 243rd example of such a hidden additional function in malware – the number is fictitious, by the way – also provides an important lesson for dealing with cybercriminals. Even if they swear up and down that they will delete all copies of the data they stole if you meet their demands and intend to keep those promises yourself; you can never count on them being the only ones with access to that data. Paying a ransom to protect yourself from publication or resale of stolen data is therefore associated with a high risk.