[MART] - Daily Diary #605 - Meet Prilex, a Point-of-Sale Malware

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Sep 29 22:08:28 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/29/2022 - Diary entry #605:

Prilex is a Brazilian malware that started its activities targeting ATMs in 2014 – when a Brazilian bank had 10,000 of its ATMs hacked. In 2016, the threat actors behind Prilex changed their focus to Point Of Sales (PoS) devices. After that, in 2019 they claimed responsibility for an attack against a German bank, resulting in €1.5 million in losses, followed by a peak of activity in 2020, and finally going dark in 2021. Now, they resumed their activities with a release of three new variants, suggesting that they were focusing on developing a more sophisticated version of Prilex.

As the security and anti-fraud mechanisms evolved, the threat actors changed their attack chain. The infection process starts with a spear-phishing email posing as a PoS vendor technician luring the companies (shops, gas stations, and restaurants) to update their PoS software. Then, a fake technician replaces the PoS firmware with a malicious version either on-premise or remotely via AnyDesk.

The operators can then control the PoS terminals using a custom backdoor, a stealer for intercepting all data, and an exfiltration module. All these tools are used for modifying transaction contents, capturing credit card information, and requesting new cryptograms from the cards.

All intercepted data from the transactions are saved locally to an encrypted file and sent periodically to the malware C2 server. Then, the criminals are able to make transactions via fraudulent PoS devices registered in the name of fake companies.

The sophistication of the attack and toolkit shows that the threat actors behind Prilex are highly skilled and capable of escalating their attacks by offering their tools as a Malware-as-a-Service. Therefore, we recommend companies that use PoS terminals secure their environment both physically and digitally, training their employees against social engineering attacks.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220929/bcd184ec/attachment.htm>

More information about the MART mailing list