This year, security analysts have observed three new versions of Prilex PoS-targeting credit card malware, which means that its creators and operators are back at it again.
In 2014, Prilex began as an ATM-focused malware. The crew was behind one of Brazil’s most successful ATM robberies. And in doing so, infected more than 1,000 ATM machines, and successfully cloned in excess of 28,000 credit cards that had been used at those ATMs. The Prilex group wanted more and pivoted to PoS (point of sale) devices in 2016. While development and distribution of their malware peaked in 2020, the malware vanished in 2021. But now Prilex malware is back.
Prilex has resurfaced, according to Kaspersky researchers, and it appears that the organization’s previous operation break was designed to allow the company to focus on developing a more sophisticated and powerful version of credit card malware.
New PoS Malware from Prilex
The latest version of Prilex is able to generate EMV (Europay, MasterCard, and Visa) cryptograms. These cryptograms were developed and introduced by VISA in 2019. They are intended to validate transactions and detect and reduce credit card fraud.
A Kaspersky report outlines how the Prilex group are defrauding consumers and businesses. The malware enables Prilex to use EMV cryptograms These cryptograms are encrypted messages that are sent between between the card and the reader and they contain details of the transaction. At this point the malware performs ‘GHOST transactions’ on these cards, even those with CHIP and PIN technology. The GHOST transaction requests new EMV cryptograms after capturing the details. And these are then used to transact fraudulent transactions. The infographic from Kaspersky below shows how this process. Effectively, two transactions are being performed simultaneously. One is legitimate, the other is fraudulent.
Prilex malware attack chain (Kaspersky)
Beware: It starts with simple Phishing
The attack begins with a spear phishing email. The email impersonates a technician from a PoS vendor and informs the business that they are required to update their PoS software. From here, the infection happens either in-person or remotely. For an in-person infection, an appointment is made and the “technician” visits the premises in person. Yes, this is bold! And then, the tech installs the malicious firmware on the PoS terminal. For remote infection, the technician requests that the business install the AnyDesk remote access tool on computer. From here the computer is shared and the “technician” replaces the PoS firmware with the infected version. While in the machine the attacker will run a diagnostic to evaluate whether the daily volume of transactions is significant enough for them to target it.
Smarter Malware
The Prilex group are some very smart folks and have added to their infection to improve effectiveness. These include adding backdoors for communication, an uploader module and stealer module for intercepting data. This even includes registry modification.
Its stealer module can monitor the data transfer between the PIN pad and the PoS software. This module modifies and captures transaction details and places new EMV cryptograms requests from the card. All this can then be encrypted and uploaded to the malware’s command and control (C2) server. And from there the fraudulent transactions can be processed.
The Final Score
Attacks are becoming more and more sophisticated. Even with secured PIN and CHIP technology, credit card malware is bypassing them. But, the initial hole can be plugged before the dam breaks and your customer’s cards are compromised. Be alert to any communication that involves financial information, including those from technicians and service providers. This fraud starts off with a simple phishing email. Be vigilant, know what to look for, don’t be afraid to ask questions, request a contact number to call back, or check with the company about planned upgrades and names of techs and planned appointments. Remember: be smart and stay safe.