PRILEX is the name of the latest strain of ATM malware that was discovered and analyzed by Trend Micro researchers. A previous version of this malware was spotted by Kaspersky in October this year. The malware has been used in attacks on Brazilian banks. The attacks were highly targeted.
PRILEX ATM Malware – Details
The malware has been developed using the Visual Basic 6.0 language. It has been created to specifically hijack banking applications to steal sensitive information from ATM users.
Trend Micro researchers analyzed this new strain to discover that it is showing a different form of behavior when compared to the October strain.
The latest PRILEX malware works by hooking specific DLLs, and it replaced them with its own application screens on top of others. The DLLs targeted by the malware are the following:
The research team performed a detailed analysis on the DLLs only to find that there is no available information about them anywhere online.
Given that the strings found in this malware were all in Portuguese (and since Kaspersky reported that it was found in Brazil), the researchers decided to ask their banking contacts in the region. They found that those DLLs belong to the ATM application of a bank there, which meant only one thing – a highly targeted attack. “On top of this, the malware only affects a specific brand of ATM, which means the attackers had possibly analyzed one of them and created a customized attack,” the researchers noted in their report.
While analyzing the malware code of PRILEX, the researchers came across something else interesting that takes place after the malware has stolen user data. It tries to communicate with a remote command and control server to upload credit card data and account security code. Trend Micro believes that this is the first ATM malware so far to assume it is connected to the internet.
That being said, it is very likely that the targeted bank’s ATMs are connected, since the attackers appear to be quite familiar with its methods and processes.
Besides these specifications, the malware’s attack techniques are as usual:
The method of attack, otherwise, is straightforward. Once the machine has been infected, the malware operates jointly with the banking application so that when it displays the screen asking the user for their account security code, the screen is replaced by the malware. This code is a two-factor authentication method commonly used in Brazil to protect ATM and online transactions. Once the user enters this code, the malware captures it and stores it.
PRILEX ATM Malware Steals Credit Card Details
It is also worth noting that PRILEX attacks not only aim to jackpot the machine but also to steal user information such as credit card data. Due to this detail, the researchers believe that whoever is behind these operations is dealing with bulk credit card details, and has a way to monetize them efficiently. Considering that this has been a highly targeted attack, it’s more likely for this malware to not be used anywhere else.
PRILEX, however, is a great example that, as pointed out by Trend Micro, “any bank is subject to have their methods and processes analyzed by criminals and then later abused with highly targeted attacks”. Jackpotting attacks are very dangerous in their own way, but a silent attack like this can go undetected for a very long time, meaning that each bank should implement quality monitoring tools and guarding techniques.