The official website for RVTools has been compromised, and it is now distributing a tampered installer for the widely used VMware reporting utility.
“Robware.net and RVTools.com are currently offline. We are working quickly to restore service and appreciate your patience,” the company stated on its website.
The company emphasized that “Robware.net and RVTools.com are the only authorized and supported websites for RVTools software. Users should avoid downloading RVTools from any other websites or sources.”
This development follows a report by security researcher Aidan Leon, who discovered that an infected version of the installer from the website was being used to sideload a malicious DLL. This DLL was identified as Bumblebee, a known malware loader.
It remains unclear how long the compromised installer was available for download or how many users were affected before the site was taken offline.
In the meantime, users are advised to verify the hash of any installer files and monitor any execution of version.dll from user directories.
In a separate case, it has been revealed that the official software provided with Procolored printers included a Delphi-based backdoor known as XRed, along with a clipper malware named SnipVex. This malware is capable of replacing wallet addresses in the clipboard with a hard-coded one controlled by attackers.
Cameron Coward, the creator of the YouTube channel Serial Hobbyism, was the first to uncover this malicious activity.
XRed has reportedly been active since at least 2019. It can gather system information, log keystrokes, spread through connected USB drives, and run commands from an attacker-controlled server. These commands can be used to capture screenshots, list files and directories, download content, and delete files from the system.
G DATA researcher Karsten Hahn, who investigated the issue further, explained that SnipVex scans the clipboard for content resembling a Bitcoin address and substitutes it with the attacker's address. This enables the redirection of cryptocurrency transactions. Interestingly, the malware infects .EXE files with the clipper functionality and marks them with a unique sequence (0x0A 0x0B 0x0C) to prevent re-infection. As of now, the attacker's wallet has received 9.30857859 BTC, valued at approximately $974,000.
Procolored has confirmed that the software packages were uploaded to the Mega file hosting platform in October 2024 using USB drives. The malware might have been introduced during that process. Currently, software downloads are available only for F13 Pro, VF13 Pro, and V11 Pro models.
Hahn added that the malware's command-and-control server has been offline since February 2024. This means XRed has not been able to establish any remote connections since then. However, the clipper virus SnipVex remains a serious risk. Even though transactions to the malicious Bitcoin address ended on March 3, 2024, the infected files continue to harm affected systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
