The official website for RVTools, a tool used to report on VMware environments, was recently hacked. The installer available on the site was replaced with a malicious version. The company, Robware, has taken both its websites- robware.net and rvtools.com- offline while they work to restore the service. They’ve asked users to be patient and warned everyone to only download RVTools from these two official sites. They strongly advised against downloading the software from any other websites, as those sources could be unsafe.
The issue came to light after a security expert, Aidan Leon, discovered that a fake version of the RVTools installer from the official website was being used to secretly load a malicious DLL file. The malware was identified as a known threat called Bumblebee. It’s still unknown how long the infected version of RVTools was online or how many users downloaded it before the websites were taken offline.
For now, users are advised to check the installer’s hash, a kind of digital fingerprint, and look out for any suspicious activity related to a file called “version.dll” in user folders. It was also recently discovered that the official software provided with Procolored printers contained hidden malware. This includes a backdoor program called XRed and another type of malware named SnipVex, which can change the wallet address copied to the clipboard with one controlled by the attacker.
These threats were initially discovered by Cameron Coward, the creator of the YouTube channel Serial Hobbyism. XRed, which has likely been active since at least 2019, can gather system information, record keystrokes, spread through USB drives, and follow remote commands to take screenshots, explore files and folders, download new files, or even delete files from the computer.
Security researcher Karsten Hahn from G DATA explained that SnipVex works by scanning the clipboard for Bitcoin wallet addresses. When it finds one, it replaces it with the attacker’s wallet address, so any cryptocurrency sent ends up in the wrong hands. Interestingly, the malware also infects .EXE files by adding the clipper function and uses a unique marker, a sequence of 0x0A 0x0B 0x0C, at the end of the file to make sure it doesn’t infect the same file twice.
So far, the attacker’s wallet has received around 9.3 BTC, worth nearly $974,000. Procolored has confirmed that their software was uploaded to the mega file hosting platform in October 2024 using USB drives, and it’s likely that the malware was added during that process. Right now, software downloads are only available for the F13 Pro, VF13 Pro, and V11 Pro printer models. Researcher Karsten Hahn noted that the XRed malware’s commands server has been offline since February 2024, meaning it has been able to connect remotely since then. However, the SnipVex malware is still dangerous- it continues to infect files and harm systems, even though the last recorded Bitcoin transaction to the attacker’s wallet was on March 3, 2024.
