The Prilex malware is back once again in three new versions. The malware has slowly been evolving from ATM-focused towards modular point-of-sale (PoS) malware. The Brazilian threat actor behind it has carried out “one of the largest attacks on ATMs in the country, infecting and jackpotting more than 1,000 machines,” according to a new Secure List report.
In addition, the malware successfully cloned at least 28,000 credit cards used in the same ATMs prior to the attack. The latest version of Prilex is capable of generating EMV (Europay, MasterCard, and Visa) cryptograms which VISA introduced in 2019 as a transaction validation system against payment fraud.
Prilex Malware Evolution
The malware has been developed using the Visual Basic 6.0 language, and has been created to specifically hijack banking applications to steal sensitive information from ATM users. The PoS malware started out as a simple memory scraper and evolved into a very advanced and complex piece.
Its latest versions are capable of handling PIN pad hardware protocol rather than using higher level APIs, Kaspersky said. Furthermore, the malware can perform real-time patching in targeted software, hook OS libraries, tamper with replies, communications and ports, and generate cryptograms for its so-called GHOST transactions.
The latest versions of Prilex are different to previous ones in the way the attack takes place: the threat actor has switched from the replay attacks to fraudulent transactions using cryptograms generated by the victim card during the in-store payment process, referred to by the malware authors as “GHOST” transactions, the report explained.
“In these attacks, the Prilex samples were installed in the system as RAR SFX executables that extracted all required files to the malware directory and executed the installation scripts (VBS files),” the researchers said. From the installed files, they highlighted three modules used in the campaign: a backdoor, a stealer module, and an uploader module.
How Does a Prilex Malware Attack Occur?
The attack is based on well-thought social engineering and is reminiscent of fake tech support. In one scenario, it is initiated by a spear phishing email that impersonates a technician from a PoS vendor, urging the recipient into updating their PoS software. After this interaction, the cybercriminals send a fake technician to the targeted organization’s building to install an update to the PoS terminals. Of course, the update is malicious.
Another version of the attack redirects the victim to install the AnyDesk remote access tool. Once this access is granted, the PoS firmware is replaced with a malicious version. The latest Prilex variant supports a backdoor, a stealer, and an uploader, each of which has several activities to perform.
“The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works,” the researchers said. The group’s success has motivated new families to emerge creating a major impact on the payment chain.