A
Brazilian
threat
actor
known
as

Prilex
has
resurfaced
after
a
year-long
operational
hiatus
with
an
advanced
and
complex
malware
to
steal
money
by
means
of
fraudulent
transactions.

“The
Prilex
group
has
shown
a
high
level
of
knowledge
about
credit
and
debit
card
transactions,
and
how
software
used
for
payment
processing
works,”
Kaspersky
researchers

said. “This
enables
the
attackers
to
keep
updating
their
tools
in
order
to
find
a
way
to
circumvent
the
authorization
policies,
allowing
them
to
perform
their
attacks.”

The
cybercrime
group
emerged
on
the
scene
with
ATM-focused
malware
attacks
in
the
South
American
nation,
providing
it
the
ability
to
break
into
ATM
machines
to
perform
jackpotting
–
a
type
of
attack
aiming
to
dispense
cash
illegitimately
–
and
clone
thousands
of
credit
cards
to
steal
funds
from
the
targeted
bank’s
customers.

Prilex’s
modus
operandi
over
the
years
has
since
evolved
to
take
advantage
of
processes
relating
to
point-of-sale
(PoS)
software
to
intercept
and
modify
communications
with
electronic
devices
such
as

PIN
pads,
which
are
used
to
facilitate
payments
using
debit
or
credit
cards.

Known
to
be
active
since
2014,
the
operators
are
also
adept
at
carrying
out

EMV
replay
attacks
in
which
traffic
from
a
legitimate
EMV-based
chip
card
transaction
is
captured
and
replayed
to
a
payment
processor
like
Mastercard,
but
with
the
transaction
fields
modified
to
include
stolen
card
data.

Infecting
a
computer
with
PoS
software
installed
is
a
highly-targeted
attack
incorporating
a
social
engineering
element
that
allows
the
threat
actor
to
deploy
the
malware.

“A
target
business
may
receive
a
call
from
a ‘technician’
who
insists
that
the
company
needs
to
update
its
PoS
software,”
the
researchers
noted. “The
fake
technician
may
visit
the
target
in
person
or
request
the
victims
to
install
AnyDesk
and
provide
remote
access
for
the ‘technician’
to
install
the
malware.”

The
latest
installments
spotted
in
2022,
however,
exhibit
one
crucial
difference
in
that
the
replay
attacks
have
been
substituted
with
an
alternative
technique
to
illicitly
cash
out
funds
using
cryptograms
generated
by
the
victim
card
during
the
in-store
payment
process.

The
method,
called
GHOST
transactions,
includes
a
stealer
component
that
grabs
all
communications
between
the
PoS
software
and
the
PIN
pad
used
for
reading
the
card
during
the
transaction
with
the
goal
of
obtaining
the
card
information.

This
is
subsequently
transmitted
to
a
command-and-control
(C2)
server,
permitting
the
threat
actor
to
make
transactions
through
a
fraudulent
PoS
device
registered
in
the
name
of
a
fake
company.

Now,
it’s
worth
pointing
out
that
EMV
chip
cards
use
what’s
called
a

cryptogram
to
secure
cardholder
data
every
time
a
transaction
is
made.
This
is
done
so
as
to
validate
the
identity
of
the
card
and
the
approval
from
the
card
issuer,
thereby
reducing
the
risk
of
counterfeit
transactions.

While
previous
versions
of
Prilex
circumvented
these
security
measures
by
monitoring
the
ongoing
transaction
to
get
the
cryptogram
and
conduct
a
replay
attack
using
the
collected “signature,”
the
GHOST
attack
requests
for
new
EMV
cryptograms
that
are
put
to
use
to
complete
the
rogue
transactions.

Also
baked
into
the
malware
is
a
backdoor
module
that’s
engineered
to
debug
the
PoS
software
behavior
and
make
changes
on
the
fly.
Other
backdoor
commands
authorize
it
to
terminate
processes,
start
and
stop
screen
captures,
download
arbitrary
files
from
the
C2
server,
and
execute
commands
using
CMD.

Prilex
is “dealing
directly
with
the
PIN
pad
hardware
protocol
instead
of
using
higher
level
APIs,
doing
real-time
patching
in
target
software,
hooking
operating
system
libraries,
messing
with
replies,
communications
and
ports,
and
switching
from
a
replay-based
attack
to
generate
cryptograms
for
its
GHOST
transactions
even
from
credit
cards
protected
with
CHIP
and
PIN
technology,”
the
researchers
said.