The Brazilian threat actor Prilex has returned after a year-long operational sabbatical with sophisticated and intricate malware to steal money through fraudulent transactions.
“The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works,” said Kaspersky researchers. “This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks.”
The cybercrime gang appeared on the scene in South America with ATM-focused malware attacks, allowing it to break into ATMs to perform jackpotting, a type of attack aiming to disburse cash illegally and clone thousands of credit cards to steal money from the targeted bank’s customers. Since then, Prilex’s strategy has changed to use point-of-sale (PoS) software procedures to intercept and alter communications with electronic devices like PIN pads, which enable debit or credit card payments.
The operators, who have been active since 2014, are also skilled at executing EMV replay attacks, in which the transaction fields of a legal EMV-based chip card transaction are changed and replayed to a payment processor like Mastercard. It takes a highly-targeted attack with a social engineering component to infect a machine with PoS software installed for using the malware.
However, the most recent versions discovered in 2022 show an important distinction: the replay attacks have been replaced with a different method to illegally withdraw money via cryptograms produced by the victim card during the in-store payment procedure. The technique, known as GHOST transactions, consists of a stealer component that records all communications made while the transaction is being processed between the PoS software and the PIN pad used to read the card. Following transmission to a command-and-control (C2) server enables the threat actor to conduct transactions using a false PoS device registered in the name of a fictitious business.
Now, it’s important to note that every time a transaction is conducted, EMV chip cards employ a cryptogram to encrypt cardholder data. This lowers the possibility of fraudulent purchases by validating the card’s identification and the card issuer’s consent. The GHOST attack asks for new EMV cryptograms used to carry out the fraudulent transactions, in contrast to previous versions of Prilex that got around these security measures by keeping an eye on the transaction to obtain the cryptogram and conducting a replay attack using the gathered “signature.”
A backdoor module designed to debug the PoS software behavior and make modifications instantly is also incorporated into the malware. Other backdoor instructions allow it to kill processes, initiate and stop screen captures, download arbitrary files from the C2 server, and run CMD commands. The researchers said that Prilex is “dealing directly with the PIN pad hardware protocol instead of using higher level APIs, doing real-time patching in target software, hooking operating system libraries, messing with replies, communications and ports, and switching from a replay-based attack to generate cryptograms for its GHOST transactions even from credit cards protected with CHIP and PIN technology.”