Since 2014, in 2016 the Prilex group, which is a Brazilian threat actor, decided to give up ATM malware and focus all their attacks on point of sale systems, which are criminals with knowledge of the payment market. and EFT software and protocols, it has been tracking the movements of the threat actor, seeing the damage and huge financial losses.
One of the largest attacks on ATMs in the country in 2016, it occurred infecting and stealing more than 1,000 machines, as well as cloning more than 28,000 credit cards that were used in these ATMs.
The Prilex PoS malware was able to evolve from a simple memory scraper to an advanced and complex malware, dealing directly with the PIN pad hardware protocol instead of using higher level APIs, as well as performing real-time patches on the PoS software. destination, connecting libraries of operating systems, and interfering with responses, communications and ports, managing to generate cryptograms for your GHOST transactions even from credit cards protected with CHIP and PIN technology.
The beginning: ATMs during a carnival celebration
As already mentioned, in 2016 a Brazilian bank realized that its ATMs were hacked, infecting more than 1,000 ATMs and 28,000 cards throughout Brazil. The participants of this event virtually accessed the ATMs with a DIY device containing a 4G router and a Raspberry PI, with the IP information of each of the ATMs and using default Windows credentials, they managed to install the malware.
Prilex was the name given to the malware, which was also capable of capturing magnetic stripe information on credit and debit cards inserted in infected ATMs, in order to clone cards and steal more from bank customers. (ATM and PoS Malware attacks)
Evolving into PoS malware
This malware has evolved into a modular point of sale malware targeting payment systems developed by Brazilian providers, the so-called EFT/TEF software, the first PoS malware was detected in October 2016, however as of 2022 they started using Subversion as a version control system.
Prilex was quite active in 2020 but suddenly disappeared in 2021, returning in 2022 with the release of three new variants. The PoS version of Prilex is coded in Visual Basic, yet the theft module is in p-code.
The old Trojan-Spy.Win32.SPSniffer, which was discovered in 2010, is another PoS malware that originates from Brazil. SPSniffer obtains credit card data as the malware can install a USB or serial port sniffer to capture and decrypt the traffic between the PIN pad and the infected system, since these devices are always connected to a computer via a USB port that communicates with the EFT software. Although the PIN is encrypted on the device at the time of entry.
The patch built into the PoS system libraries causes the malware to collect TRACK2 data, such as account number, expiration date, and other cardholder information needed to perform fraudulent transactions.
Initial infection vector
Prilex is targeted malware and is usually delivered through social engineering, for example a “tech” can call a company to update their PoS software, having direct access and asking AnyDesk to be installed for remote access also to install malware.
The EMV standard
A Java application lives inside the chip, which is embedded in the cards via EMV, and since payment operators do not perform some of the validations required by the EMV standard, it is an opportunity for criminals to update the tools to create their own cards.
Thus fraudsters make regular magstripe transactions through the card network as EMV purchases, however, they then switched to capturing real EMV-based chip card transaction traffic, thereby modifying merchants’ bank accounts and users.
Brian Krebs mentioned that in 2014 a financial institution in New England fought off some $120,000 in fraudulent charges from Brazilian stores in less than two days, managing to block $80,000, even though the bank’s processor let the other $40,000 through, with the chip transactions without a PIN for MasterCard systems.
Using the same technique, a German bank was also attacked in 2019 where losses amounting to 1.5 million euros were recorded. Prilex used tools like Xiello, discovered in 2020, to clone cards, sending notifications to credit card acquirers to approve or deny transactions.
From “Replay” to “Ghost”
Prilex has gone from replay attacks to fraudulent transactions using cryptograms on the cards being referred to as “GHOST transactions”, installing executable samples like RAR SFX which extracted all the necessary files to the malware directory and ran the installation scripts (VBS files) ; backdoor module, a stealer module, and an uploader module are the modules used.
First, it checks if the machine receives enough transactions to start the process, then the malware will install the necessary hooks to intercept the information, likewise it will find free space inside the memory of the modules, which is called a code cave and makes it difficult to detect the threat in the system. The information taken will be saved in a file that is sent to the C2 malware server, in order to make transactions through a PoS device.
With the GHOST attacks, new EMV cryptograms are requested with one of the cybercrime tools in the latest versions of Prilex. The authorization request cryptogram (ARQC) generated by the card must be approved by the card issuer, and with this the amount of the transaction, ATC and the generated cryptogram change for each transaction.
This module has many commands, and in addition to the memory scan common to memory scrappers, previous versions of Prilex made patches to specific software libraries, however this is no longer necessary as they only connect to Windows APIs.
Some of the commands used in the ATM version of Prilex, including debugging:
Reboot, SendKeys, ShowForm, Inject, UnInject, HideForm, Recursos, GetZip, SetStartup, PausaProcesso, LiberaProcesso, Debug, SendSnapShot, GetStartup, CapRegion, CapFerro, KillProcess, Shell, Process, GetModules, GetConfig, StartSendScreen, StopSendScreen, ReLogin, StartScan, GetKey, SetConfig, RefreshScreen, Download, TakeRegions, Enviar Arquivo, ScanProcessStart, ScanProcessStop, StartRegiao, StopRegiao, StartDownload, StopDownload.
This module is responsible for verifying the directory specified in the CABPATH parameter in the configuration file, as well as sending all cab files generated by stolen transactions to the server, via dHTTP POST request files.
It changes the operation structure of the group, the information is sent to a server where the address was encrypted in the thief’s code, and the module uses the same protocol as the backdoor.
A website claimed to be affiliated with Prilex, in 2019 they offered a malware package created by the group, however, it is not trusted as they may be copycats just looking to earn some money from Prilex recognition. They also say that they have worked with Russian cybercriminals in the past, and a Prilex malware package was found on Telegram to be sold for between €10,000 and $13,000, however this information is unconfirmed.
The group has changed its attack techniques over the years, abusing processes related to PoS software to intercept and modify PIN pad communications, as well as new updates to its tools to find a way around policies. authorization.
Similarly, it is suggested that PoS software developers implement self-protection techniques in their modules, for example, the Kaspersky SDK prevents malicious code from tampering with the transactions managed by those modules. From Kaspersky you can also check to remove malware from your PC in Windows 10.