The official site for RVTools has been hacked to serve a compromised installer for the popular VMware environment reporting utility.
“Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience,” the company said in a statement posted on its website.
“Robware.net and RVTools.com are the only authorized and supported websites for RVTools software. Do not search for or download purported RVTools software from any other websites or sources.”
The development comes after security researcher Aidan Leon revealed that an infected version of the installer downloaded from the website was being used to sideload a malicious DLL that turned out to be a known malware loader called Bumblebee.
It’s currently not known how long the trojanized version of RVTools had been available for download and how many had installed it before the site was taken offline.
In the interim, users are recommended to verify the installer’s hash and review any execution of version.dll from user directories.
The disclosure comes as it has come to light that the official software supplied with Procolored printers included a Delphi-based backdoor called XRed and a clipper malware dubbed SnipVex that’s capable of substituting wallet addresses in the clipboard with that of a hard-coded address.
Details of the malicious activity were first discovered by Cameron Coward, who is behind the YouTube channel Serial Hobbyism.
XRed, believed to be active since at least 2019, comes with features to collect system information, log keystrokes, propagate via connected USB drives, and execute commands sent from an attacker-controlled server to capture screenshots, enumerate file systems and directories, download files, and delete files from the system.
“[SnipVex] searches the clipboard for content that resembles a BTC address and replaces it with the attacker’s address, such that cryptocurrency transactions will be diverted to the attacker,” G DATA researcher Karsten Hahn, who further investigated the incident, said.
But in an interesting twist, the malware infects .EXE files with the clipper functionality and makes use of an infection marker sequence – 0x0A 0x0B 0x0C – at the end to avoid re-infecting the files a second time. The wallet address in question has received 9.30857859 BTC (about $974,000) to date.
Procolored has since acknowledged that the software packages were uploaded to the Mega file hosting service in October 2024 via USB drives and that the malware may have been introduced during this process. Software downloads are currently only available for F13 Pro, VF13 Pro, and V11 Pro products.
“The malware’s command-and-control server has been offline since February 2024,” Hahn noted. “So it is not possible that XRed established a successful remote connection after that date. The accompanying clipbanker virus SnipVex is still a serious threat. Although transactions to the BTC address stopped on March 3, 2024, the file infection itself damages systems.”
