After a quiet 2021, the Prilex point-of-sale (POS) hacking group has become more active this year, releasing three new variants of its malware, infosec pros at retailers are being warned.
The alert comes in a background report on the group released this week by Kaspersky.
Its researchers say the latest versions of Prilex create fraudulent transactions using cryptograms generated by a victim’s access card during an in-store payment process, referred to by the malware authors as “GHOST transactions.”
The malware deals directly with the PIN pad hardware protocol of POS systems, doing real-time patching in target software, hooking operating system libraries, and messing with replies, communications and ports. In this way the group gets around transactions from credit cards protected with chip and PIN technology.
Victims are shoppers who enter PIN numbers when they use their payment cards. So far, Kaspersky told ITWorldCanada, it hasn’t seen any fraud that has happened when a customer paid by using the tap-and-pay capability of a near-field communication (NFC) enabled device.
“This is corroborated by a contact in the industry that told us they haven’t seen any frauds when using NFC,” said Fabio Assolini, head of Kaspersky’s Latin American Global Research and Analysis Team. “This is likely due to the way paying through NFC works, that is generating a single card number for each transaction.” But, she added, “it would not surprise us if they find a way to get around this limitation due to their knowledge of the payment systems.”
Prilex is modular, Kaspersky says, meaning adversaries can program it to work with any POS system they want, from anywhere.
In examples seen by Kaspersky, the Prilex malware was installed in POS systems as RAR SFX executables that extracted all required files to the malware directory and executed the installation scripts (VBS files). From the installed files Kaspersky researchers have seen, there are three modules used in campaigns: a backdoor, which is unchanged in the latest version except for the C2 servers used for communication; a stealer module; and an uploader module.
The stealer module is responsible for intercepting all communications between the point-of-sale software and the PIN pad used for reading the card during the transaction, says the report. Once it identifies a running transaction, the malware will intercept and modify the content of the transaction in order to be able to capture the card information and to request new EMV cryptograms to the victim’s card. These cryptograms are then used in the GHOST transactions.
In GHOST attacks performed by the newer versions of Prilex, new EMV cryptograms from payment card chips are requested after capturing the transaction. These cryptograms will then be used in a fraudulent transaction through one of the cybercrime tools.
Prilex is not a widespread type of malware, says Kaspkersy. It is highly targeted and is usually delivered through social engineering. For example, a target business may receive a call from a “technician” who insists that the company needs to update its POS software. The fake technician may visit the target in person or request that the victims install AnyDesk and provide remote access for the “technician” to install the malware.
To protect POS devices, Kaspersky says administrators should use a multi-layered solution, offering an optimal selection of protective layers to provide the best security level possible for devices of differing power and with different implementation scenarios. Solutions should be optimized to run with full functionality on the older versions of Windows as well on the newest Windows families.
According to the report, the Brazil-based group has been targeting automated teller machines (ATMs) and POS terminals since 2014. It is believed to have been behind one of the largest-ever attacks on ATMs in 2016, when, during Carnival, 28,000 credit cards were cloned. Funds in more than 1,000 ATMs belonging to one Brazilian bank were drained.
The Prilex gang also claimed responsibility for the 2019 attack against a German bank which registered €1.5 million in losses.
Since 2016 the group has focused all its attacks on POS systems, evolving its malware over the years.