Security researchers at Cyble recently reported on a new Windows info-stealer malware known as Prynt Stealer. After initial compromise, the malware targets all widely used browsers, messaging apps, gaming apps, cryptocurrency wallets, file transfer applications, keyboard input, clipboard data, and VPN account credentials; login credentials and account information are extracted for use in further compromise or digital theft. The malware can also perform direct financial compromise of cryptocurrency assets. Stolen data is encrypted and then exfiltrated via a Telegram bot, which in turns passes the information to a remote Command and Control (C2) server.
The rapidly expanding info-stealer underground economy sells access to compromised accounts as well as customized info-stealers to threat actors for specific campaigns and targeting. Info-stealers such as Prynt Stealer can lead to further compromise including ransomware, data extortion, espionage, and destructive attacks.
While the situation may change quickly, the current primary exploitation vector for Prynt Stealer appears to be trojanized files providing pirated software. Due to “bring your own device” (BYOD) and “work from home” (WFH) policies currently in place, organizations should regularly conduct cyber awareness training that discourages the use of pirated software, as well as block the URLs of Torrent and Warez sites. Password re-use should be discouraged, as credentials and passwords are obtained by threat actors and used to attempt compromise of organizational accounts. Organizations can also conduct beacon analysis of network activity in order to identify and block data exfiltration. Since individual compromise is inevitable, post-exploitation detection and threat hunting – a service offered by Binary Defense – is an essential layer of a defense in depth approach to limit and mitigate such attacks.