RVTools Official Website Compromised to Distribute Bumblebee Malware Through Trojanized Installer

The official site for RVTools has been compromised, resulting in the distribution of a malicious installer for this widely used VMware environment reporting tool.

Robware has confirmed that both Robware.net and RVTools.com are currently offline and is actively working to restore their services. They advise users to only download RVTools software from the official site, strongly warning against obtaining it from any unauthorized sources.

Recent investigations by security researcher Aidan Leon have revealed that an infected version of the RVTools installer, when downloaded, inadvertently sideloaded a malicious DLL. This DLL is associated with a notorious malware loader known as Bumblebee.

It remains unclear how long this compromised version of RVTools was available for download or how many users may have installed it before the website was taken offline. In light of this incident, users are urged to verify the hash of any installed software and to monitor for any unauthorized execution of version.dll from user directories.

Additionally, it has come to light that software bundled with Procolored printers has been found to contain a Delphi-based backdoor named XRed, along with a clipper malware known as SnipVex. The SnipVex malware is capable of replacing cryptocurrency wallet addresses copied to the clipboard with that of an attacker’s predetermined address, potentially diverting funds to unauthorized recipients.

Cameron Coward, operator of the YouTube channel Serial Hobbyism, was the first to publicly disclose the malicious activities associated with these vulnerabilities.

XRed, believed to have been active since at least 2019, possesses extensive features allowing it to gather system information, log keystrokes, propagate via USB drives, and execute commands from an attacker-controlled server. This includes capturing screenshots and manipulating file systems.

According to G DATA researcher Karsten Hahn, SnipVex specifically targets clipboard content that resembles cryptocurrency addresses in order to divert transactions to the attacker’s wallet.

In a particularly concerning development, the clipper functionality of this malware infects .EXE files and employs a unique infection marker sequence to prevent repeated infections of the same file. Notably, a wallet address associated with these attacks has received nearly 9.31 BTC (approximately $974,000) thus far.

Procolored has acknowledged that the malware-laden software packages were uploaded to the Mega file hosting service in October 2024, potentially introducing the malware during this transfer process. Presently, software downloads are restricted to specific products including the F13 Pro, VF13 Pro, and V11 Pro.

Hahn indicated that the command-and-control server used by XRed has been offline since February 2024, suggesting that the malware could not establish remote connections after this point. Although transactions to the associated BTC address have ceased since early March 2024, the continued presence of the file infection presents an ongoing risk to users’ systems.