Do you remember the Prilex PoS (point-of-sale) malware? Prilex is one of the latest strains of ATM malware pieces that has been used in highly targeted attacks on Brazilian banks.
The malware has been developed using the Visual Basic 6.0 language. It has been created to specifically hijack banking applications to steal sensitive information from ATM users.
An attack of the malware analyzed in December, 2017, was showing a different form of behavior when compared to a previous strain from October. Apparently, the Prilex malware has now evolved once again, and has become an all-inclusive tool suite that enables cybercriminals to steal chip and PIN card data to create their own working, fraudulent plastic cards.
PoS Malware Like Never Before: What Is New in Prilex?
According to Kaspersky Lab researchers, this is the first time they have seen such an extensive malware that carries out fraud. It is very troublesome that the fake cards can work on any Brazilian PoS system. This is possible due to a faulty implementation of the EMV standard which gets in the way of payment operators to validate all required data before approving a transaction.
The cybercriminals are then enabled to install a malicious Java-based application “the form of a modified CAP file, to the cloned cards’ chips, which forces POS solutions to automatically accept the PIN validation and bypass any other remaining validation processes”, as explained by Kaspersky.
This behavior is completely new to malware researchers. The upgraded Prilex malware is offering attackers “everything from a graphic user interface to well-designed modules that can be used to create different credit card structures”.
How are attackers infecting their targets? Usually the infection happens with the help of fake remote support sessions. While these sessions are happening, attackers pretend to be IT specialists helping with an issue the target is experiencing while in fact they are installing the Prilex malware. The malware itself has three components: the piece designed to modify the PoS system to intercept credit card information; the server that stores the stolen information; the user application with the interface deployed by the attackers to view attack statistics.
Moreover, the latest version of Prilex has a new functionality allowing attackers to overwrite an infected PoS system’s libraries. This allows the malware to collect and exfiltrate payment cards’ TRACK2 magnetic stripe data. Stolen data is later offered for sale on the black market alongside a tool known as Daphne that manages the data and clones debit and credit cards.
The Daphne “client” has the option to choose which type of card it wants to write, debit or credit; then the information will be validated on the server only to be written to the card once all necessary tests are passed. The new card, which is connected to the smart card writer, will receive the new information via GPShell scripts in charge of setting up the card’s structure and creating the “golden card”.
After using the card, the criminal is able to keep track of how much money is possible to withdraw. While we are not sure how this information is being used, Prilex’s business model encourages users to register which cards are valid and the amount that they have paid off. This could enable reselling the cards in other venues and charging differential prices depending on their status.
Fortunately, bands in Brazil have spent a lot of time investigating these attacks and have been attempting to improve their systems to avoid fraudulent transactions. However, as noted by Kaspersky researchers, other countries in South America are not that dedicated to credit card technologies and still rely on magnetic stripe cards.
Other countries are also new to the active implementation of chip-and-pin authentication measures and have become a desirable target for criminals due to the overall lack of competence in terms of this technology.