Cybercriminals who use Prynt Stealer to collect data from victims are duped by the malware developer, who also receives a copy of the information via Telegram.

The malware developer inserted a backdoor into the infostealer builder, which is present in every resulting copy and is being rented to cyber criminals. The prices range from $100 per month or $700 per year to $900 for a lifetime subscription.

Prynt Stealer is capable of stealing cryptocurrency wallet information, and sensitive information stored in web browsers. The data includes credentials, credit cards, VPN account data, and cloud gaming account information.

Cyble examined Prynt Stealer in April 2022 and discovered inactive code for a clipper and keylogger, both of which are unusual functions for an infostealer.

Prynt Stealer typically compresses and exfiltrates data to a channel controlled by the cybercriminal via a Telegram bot.

However, according to a report from cloud security firm Zscaler, the malware includes a hardcoded Telegram token and ID that is used to send stolen data to the author behind the operator’s back.

Built for scamming

The code for Prynt Stealer is based on the AsyncRAT remote access tool and the StormKitty infostealer. The developer made minor changes to some of the features while removing others.

Prynt Stealer is also very similar to the malware families WorldWind and DarkEye, implying that the same author created all.

The builder in Prynt Stealer assists inexperienced cybercriminals to configure the malware for deployment by setting all parameters and letting the automated tool do the work.

Analysts at Zscaler obtained a leaked copy of the builder and discovered that during execution. A loader retrieves ‘DarkEye Stealer’ from Discord and configures it to exfiltrate data to the author.

DarkEye is a variant of Prynt Stealer, they differ in clipper and keylogger functionality in the former is enabled and disabled in the latter.

Dev backdoors malware

Furthermore, the malware author instructs the builder to drop and execute LodaRAT, an old (2017). But potent trojan allows remote actors to take control of the infected system, steal data, and fetch additional payloads.

Because the backdoor in Prynt Stealer is revealed, the cybercriminals who use it are likely to look elsewhere. Because they do not currently promote on hacking forums, it seems Prynt Stealer author has two products in the works.