The official site for Rvtools has been hacked to serve a compromised installer for popular VMware environment reporting utility.
The company said in a statement posted on its website, “Robware.net and rvtools.com are currently offline. We are working fast to restore service and appreciate your patience.”
“Robware.net and rvtools.com are the only authorized and supported websites for rvtools software. Do not discover or download alleged RVTOOLS software from any other websites or sources.”
After revealing security researcher Aden Leone, development comes out that an infected version of the installer downloaded from the website was being used to ignore a malicious DLL that became a known malware loader, called Bumblebee.
Currently it is not known that the Trojan version of Rvtools was available for download and how much it was installed before taking the site offline.
In the interim, users are recommended to verify the hash of the installer and review any execution of the version from user directors.
This disclosure comes when it has been revealed that the official software supplied with a proor printer, which included a delighty-based backdoor, called the exhade and a clipper malware dubbed snipwayx that is able to replace the wallet address in the clipboard with a hard-coded address.
The details of malicious activity were first discovered by Cameron Coward, which is behind the YouTube channel serial hobbism.
XRED, is believed to have been considered active since at least 2019, to collect system information, collect log kestrokes, promote through connected USB drives and to execute the command sent from an attacker-controlled server, which to capture the screenshots, file systems and directors, download files and remove the system.
,[SnipVex] A BTC address finds the clipboard for zealous material and replaces it from the attacker’s address, such as the cryptocurrency transaction will be diverted to the attacker, “G data researcher Carrsten Han, who further investigated the incident.
But in an interesting twist, the malware infects. In question, the wallet address has received 9.30857859 BTC (about $ 974,000) to date.
Procoled has since admitted that the software package was uploaded to the mega file hosting service in October 2024 via USB drive and the malware can be introduced during this process. Software downloads are currently available only for F13 Pro, VF13 Pro and V11 Pro products.
“The command-end-control server of malware is offline from February 2024,” Han said. “So it is not possible that XRED establishes a successful remote connection after that date. Along with the clipbanker virus Snipvex is still a serious threat. Although the transaction at the BTC address is closed on March 3, 2024, the file transition only damages the system.”
