Prilex POS attack group more active this year, report warns

After a quiet 2021, the Prilex point-of-sale (POS) hacking group has become more active this year, releasing three new variants of its malware, infosec pros at retailers are being warned.

The alert comes in a background report on the group released this week by Kaspersky.

Its researchers say the latest versions of Prilex create fraudulent transactions using cryptograms generated by a victim’s access card during an in-store payment process, referred to by the malware authors as “GHOST transactions.”

The malware deals directly with the PIN pad hardware protocol of POS systems, doing real-time patching in target software, hooking operating system libraries, and messing with replies, communications and ports. In this way the group gets around transactions from credit cards protected with chip and PIN technology.

Victims are shoppers who enter PIN numbers when they use their payment cards. So far, Kaspersky told ITWorldCanada, it hasn’t seen any fraud that has happened when a customer paid by using the tap-and-pay capability of a near-field communication (NFC) enabled device.

“This is corroborated by a contact in the industry that told us they haven’t seen any frauds when using NFC,” said Fabio Assolini, head of Kaspersky’s Latin American Global Research and Analysis Team. “This is likely due to the way paying through NFC works, that is generating a single card number for each transaction.” But, she added, “it would not surprise us if they find a way to get around this limitation due to their knowledge of the payment systems.”

Prilex is modular, Kaspersky says, meaning adversaries can program it to work with any POS system they want, from anywhere.

In examples seen by Kaspersky, the Prilex malware was installed in POS systems as RAR SFX executables that extracted all required files to the malware directory and executed the installation scripts (VBS files). From the installed files Kaspersky researchers have seen, there are three modules used in campaigns: a backdoor, which is unchanged in the latest version except for the C2 servers used for communication; a stealer module; and an uploader module.

The stealer module is responsible for intercepting all communications between the point-of-sale software and the PIN pad used for reading the card during the transaction, says the report. Once it identifies a running transaction, the malware will intercept and modify the content of the transaction in order to be able to capture the card information and to request new EMV cryptograms to the victim’s card. These cryptograms are then used in the GHOST transactions.

In GHOST attacks performed by the newer versions of Prilex, new EMV cryptograms from payment card chips are requested after capturing the transaction. These cryptograms will then be used in a fraudulent transaction through one of the cybercrime tools.

Prilex is not a widespread type of malware, says Kaspkersy. It is highly targeted and is usually delivered through social engineering. For example, a target business may receive a call from a “technician” who insists that the company needs to update its POS software. The fake technician may visit the target in person or request that the victims install AnyDesk and provide remote access for the “technician” to install the malware.

To protect POS devices, Kaspersky says administrators should use a multi-layered solution, offering an optimal selection of protective layers to provide the best security level possible for devices of differing power and with different implementation scenarios. Solutions should be optimized to run with full functionality on the older versions of Windows as well on the newest Windows families.

According to the report, the Brazil-based group has been targeting automated teller machines (ATMs) and POS terminals since 2014. It is believed to have been behind one of the largest​​-ever attacks​​ on ATMs in 2016, when, during Carnival, 28,000 credit cards were cloned. Funds in more than 1,000 ATMs belonging to one Brazilian bank were drained.

The Prilex gang also claimed responsibility for the 2019 attack against a German bank which registered €1.5 million in losses.

Since 2016 the group has focused all its attacks on POS systems, evolving its malware over the years.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now