.
Prilex is a well-known and dangerous threat, targeting the core of the payments industry – ATMs (Automated Teller Machines) and Point of Sale (PoS) terminals. Active since 2014, Prilex is allegedly behind one of the biggest attacks on ATMs in Brazil. During Carnival in 2016, the threat cloned more than 28,000 credit cards and drained more than 1,000 ATMs at one of the Brazilian banks. The perpetrators stole all the funds present in the machines, and the damages following this incident were estimated to be in the millions of dollars.
In 2016, the group focused all of its attacks on PoS systems alone. Since then, cybercriminals have greatly improved their malware, making it a complex, rapidly evolving threat having a major impact on the payment chain. Now Prilex, the threat operator, conducts so-called “GHOST” attacks – fraudulent transactions using cryptograms – previously generated by the victim’s card during the store’s checkout process.
Initial machine infections are usually transmitted through social engineering. After choosing a target, cybercriminals call the business owner or his employees and say that their PoS software needs to be updated by a technician. Later, the fake technician personally comes to the target company and infects the machines with malicious software. In another scenario, offenders ask the target to install AnyDesk and give access to the fake technician in order to install the malware remotely.
Before attacking victims, cybercriminals perform an initial scan of the machine in order to verify the number of transactions that have already taken place and whether this target is worth attacking. If so, the malware will then capture any transaction in progress and modify its content so that it can capture card information. All details of the captured card are then stored in an encrypted file, which will later be sent to the attackers’ server, allowing them to transact via a fraudulently registered PoS device in the name of a fake company.
Captured credit card data that will later be sent to the operator’s server
So, having attacked a PoS system, attackers get data from dozens and even hundreds of cards daily. It is especially dangerous if the infected machines are located in popular shopping centers in densely populated cities, where the daily flow of customers can reach thousands of people.
The Prilex Infection Chain Scheme
In recent research, Kaspersky experts also discovered that the Prilex group is controlling the development lifecycle of their malware using Subversion, used by professional development teams. Furthermore, a supposed official Prilex website is selling its malware kits to other cybercriminals as Malware-as-a-Service. Prilex has previously sold several versions of the malware on the Darknet, for example in 2019 a German bank lost more than 1.5 million euros in a similar attack by the Prilex malware. Now, with the emergence of its MasS operation, the highly sophisticated and dangerous versions of the PoS malware could spread to many countries, and the risk of losing millions of dollars would increase for companies all over the world.
Kaspersky investigators also discovered websites and Telegram chats where cybercriminals were selling Prilex malware. Impersonating the Prilex group itself, they present the latest versions of PoS malware, costing from $3,500 to $13,000. Kaspersky experts are not confident in the true ownership of these websites, as they could be copies, trying to imitate the group and steal money using their newfound fame.
“In movies, we often see thieves break into a bank with a gun in their hand, empty the box and flee the scene, taking with them a huge bag of money. In the real world, however, bank robberies happen quite differently. These days, real criminals are very stealthy: they usually attack remotely using malware without any physical contact with the bank. This makes them much more difficult to detect, and until ATM and PoS are sufficiently protected and up to date, the number of threats and incidents will only increase.“, comments Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky.
The Prilex family is detected in all Kaspersky products as HEUR:Trojan.Win32.Prilex and HEUR:Trojan.Win64.Prilex
Read more about Prilex in the full report on securelist.
To protect yourself from Prilex, Kaspersky recommends:
- Use a multi-layer solutionoffering an appropriate selection of protection layers to provide the best possible level of security for devices with different capabilities and with different deployment scenarios
- To implement self-protection techniques in the PoS modules, such as the protection available in our Kaspersky SDKin order to prevent malicious code from tampering with transactions managed by these modules
- Protect older systems with current protections. Solutions must be optimized to work with full functionality on older versions of Windows as well as newer Windows families. This assures the business that it will be provided with full support to older families for the foreseeable future, and gives you an opportunity to upgrade whenever the need arises.
- Install a security solution that protects devices from different attack vectors, such as Kaspersky Embedded Systems Security. If the device has extremely low system specifications, Kaspersky’s solution will still protect it in a Default Denial scenario.
For financial institutions that are victims of this type of fraud, Kaspersky recommends Threat Attribution Engine to help IR teams find and detect files Prilex in the attacked environments.
Follow all the technological updates on TecheNet through telegram or Whatsapp. All the news in real time and without delays!
Other interesting articles:
.
