Prilex malware gets updated to bypass credit card security

Point-of-sale malware operators sell dangerous malware across the globe

Prilex malware moves from simple ATM malware to PoS infection with uploader, backdoor, other threat modules

Security expert reports analyzed new versions of the Brazilian malware Prilex. The POS-targeting malware seems to get updates.^[1] Authors are back in action, and the threat that started as ATM-focused malware in 2014 has pivoted to point-of-sale^[2] devices since 2016. The distribution and operations were stopped for a while when the malware peaked in 2020 and disappeared in 2021.

Prilex now returned, and operation hiatus possibly was used to take a break and focus on developing a more sophisticated version, evolving the malware.^[3] The latest release is now capable of generating the EMV cryptogram that was introduced by VISA back in 2019. This is the transaction validation system that helps to detect and block payment fraud.

Security reports^[4] detailed the findings of researchers. The new malware enables the usage of EMV cryptogram to perform the GHOST transaction, and it allows to perform attacks on credit cards protected with CHIP and PIN technology. This malware can evade detection of those fraudulent transactions.

From ATM-focused virus to modular PoS malware

This is the malware operated by Brazilian threat actors that made their malware into modular point-of-sale malware. This piece was involved in one of the major attacks on ATMs in the country. It affected, and jack potted more than 1000 machines, cloned 28000 credit cards, and used these ATMs before the big heist. Criminals are always known for their greed, so the malware gets improved all the time.

The Prilex PoS malware evolved out of a simple memory scraper into very advanced and complex malware, dealing directly with the PIN pad hardware protocol instead of using higher level APIs.

Now the threat is targeting the core of the payment industry and attacks PoS systems. Malicious actors adopted the malware-as-a-service^[5] model and expanded their reach abroad, creating a toolset that includes other techniques and malware like uploaders, stealers, and backdoors. These improvements encouraged threat researchers to track actors and their operations to witness the damages and financial losses that these criminals bring to the payments industry.

New functions and infiltration methods

The campaign of this malware starts with the infiltration that is achieved with the spear phishing email. These messages impersonate technicians from the PoS vendor and claim that the company needs to update the software. Fake technicians visit the premises of the target in person and install the malicious software upgrade on the PoS terminals. The attacker can also direct the victim to install the remote access tool on the machine, and then the original PoS firmware gets replaced with the malicious version.

Once the infiltration is successful, attackers can evaluate the machine to determine if the target is prolific enough and is worth their time or not. This Prilex version has backdoors for communication, a stealer for intercepting purposes, and an uploader module that helps with exfiltration actions. The backdoor also supports other functions like file actions, command execution, process termination, registry changes, and screen capturing.

Prilex malware can snoop on communication channels between the PIN pad and the PoS software, so transaction contents can be modified and card information captured. Those details can be encrypted and saved locally on the compromised computer or uploaded to the C&C servers that malware operators control.

Attackers can keep updating their tools to find other ways to evade authorization and detection processes. Prilex group shows that these alterations allow attackers to perform their attacks successfully when the knowledge about credit card and debit card transactions gets used.