Threat analysts have recently discovered Prynt Stealer, a new addition to the expanding realm of info-stealer malware infections. It provides formidable capabilities as well as an additional keylogger and clipper modules. Prynt Stealer attacks various online browsers, messaging applications, gaming apps, and financial institutions.
The tool’s developers sell it as a time-based subscription for $100 per month, $200 per quarter, or $700 for a year, but it may also be purchased as a lifetime license for $900. Buyers may also use the malware’s constructor to produce a tailored, slim, and difficult-to-detect version of Prynt for use in targeted operations.
Prynt was investigated by malware specialists at Cyble to assess the new info-stealer, and they found that the program was built with stealth in mind, using binary obfuscation and Rijndael encrypted strings. Furthermore, all of its C2 communications are AES256 encrypted, and the AppData folder (and subfolders) established for temporarily storing stolen data before exfiltration are concealed.
Prynt Stealer begins by scanning all drives on the host for documents, database files, source code files, and image files with less than 5,120 bytes (5 KB). The malware next goes for autofill data, credentials (account passwords), credit card information, search history, and cookies saved in Chrome, MS Edge, and Firefox.
The malware now employs ScanData () to search the browser data for any terms related to banking, cryptocurrency, or porn sites, and grabs them if they are. Prynt then goes after messaging programs like Discord, Pidgin, and Telegram, stealing Discord tokens if available on the system.
Ubisoft Uplay, Steam, and Minecraft gaming software permission information, save game files, and other critical data were also taken. The malware then searches the registry for data folders containing cryptocurrency wallets such as Zcash, Armory, Bytecoin, Jaxx, Ethereum, AtomicWallet, Guarda, and Coinomi.
Threat actors gather these data folders because they include the real wallet configuration files and databases, allowing them to steal the bitcoin contained within them. Finally, Prynt grabs information from FileZilla, OpenVPN, NordVPN, and ProtonVPN, copying account credentials to the respective AppData subdirectory.
Prynt Stealer conducts a general system profiling activity prior to exfiltration, including enumerating running processes, capturing a snapshot of the summary, and packaging it with the network credentials and Windows product key used on the host machine. The compressed data is eventually stolen via a Telegram bot that uses a secure encrypted network connection to send everything to a remote server.
Apart from the mentioned capabilities, which are comparable to those of most modern data thieves, Prynt also includes a clipper and a keylogger.
A clipper is a tool that scans copied data on a compromised machine’s clipboard for cryptocurrency wallet credentials and replaces them with one controlled by the threat actor on-the-fly. When a victim tries to send bitcoin to a specific address, the malware alters the recipient’s address behind the user’s back, diverting the money to the hackers.
The keylogger is a separate module that allows remote malware operators to steal large amounts of data by capturing keystrokes. Prynt is the latest in a long line of data-stealing malware programs accessible to hackers, many of which have surfaced in the wild.
While its keylogger, clipper, comprehensive stealing capabilities, and covert operation make it an excellent candidate for widespread deployment, its relatively costly cost (compared to other newly released malware) and shaky server infrastructure stability may stop its spread. Prynt is still a harmful malware that may steal sensitive user data and cause considerable financial losses, account compromise, and data breaches.