The official RVTools website is hacked to serve compromised installers of the popular VMware Environment Reporting Utility.
“Robware.net and rvtools.com are currently offline. We are working quickly to restore our services and evaluate your patience,” the company said in a statement posted to its website.
“robware.net and rvtools.com is the only approved and supported website for RVTools software. Please do not search or download RVTools software from other websites or sources.”
The development comes after security researcher Aidan Leon revealed that an infected version of the installer downloaded from the website is being used to sideload a malicious DLL that turns out to be a known malware loader called Bumblebee.
Currently, the Trojanized version of RVTools can be downloaded for a longer period of time than installed before the site went offline.
In the interim, it is recommended that users verify the hash of the installer and check the execution of version.dll from the user directory.
The disclosure comes when it becomes clear that official software provided by the Procolation Printer contains a Delphi-based backdoor called Xred and a clipper malware called Clipper Malware that can replace the Clipboard wallet address with one of a hard-coding address.
Details of the malicious activity were first discovered by Cameron Coward, behind the serial enthusiasts on their YouTube channel.
Considered active since at least 2019, Xred comes with the ability to propagate through system information, log keystrokes, the ability to perform commands sent from attacker-controlled servers, which will allow you to screenshots, file system and directory enumeration, download files, and delete files from the system.
“[SnipVex] Search the clipboard for content similar to BTC addresses and replace it with the attacker’s address so that cryptocurrency transactions are diverted to attackers.”
But with an interesting twist, the malware infects Clipper’s functionality with .exe files and finally uses the infection marker sequence (0x0a 0x0b 0x0c) to prevent the file from reinfecting again. The wallet address in question has received 9.30857859 BTC (approximately $974,000) so far.
Procolored has since admitted that the software package was uploaded to the Mega file hosting service in October 2024 via a USB drive, and that malware may have been introduced during this process. Software downloads are currently only available for F13 Pro, VF13 Pro, and V11 Pro products.
“The malware command and control server has been offline since February 2024,” pointed out Hearn. “It is impossible for Xred to establish a successful remote connection after that date. The accompanying clip bunker virus Snipvex is still a serious threat. Trading to BTC addresses was stopped on March 3, 2024, but the file infection itself is damaging to the system.”
Source link
