Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a copy of victims’ exfiltrated data when used by other cybercriminals.
Prynt Stealer, which came to light earlier this April, comes with capabilities to log keystrokes, steal credentials from web browsers, and siphon data from Discord and Telegram. It’s sold for $100 for a one-month license and $900 for a lifetime subscription.
The cybersecurity firm analysis of Prynt Stealer shows that its codebase is derived from two other open source malware families, AsyncRAT and StormKitty, with new additions incorporated to include a backdoor Telegram channel to collect the information stolen by other actors to the malware’s author.
The code responsible for Telegram data exfiltration is said to be copied from StormKitty, but for a few minor changes.
Also included is an anti-analysis feature that equips the malware to continuously monitor the victim’s process list for processes such as taskmgr, netstat, and wireshark, and if detected, block the Telegram command-and-control communication channels.