Kaspersky researchers detailed a new campaign of Prilex malware – that targets PoS machines to steal the card data and manipulate transactions made through it.
They noted that the Prilex gang has shown up after a year gap, coming with three new versions to better their operations.
It now contains a backdoor for remote accessing and operations, a stealer for hijacking the data and manipulating transactions, and an uploader to export the stolen data.
Prilex PoS-targeting Malware New Version
Starting with ATMs back in 2014, Prilex has grown into a full-fledged malware targeting Point-of-Sale systems – with peak development and distribution in 2020, before taking a grand break last year.
Well, this wasn’t an actual holiday for the Prilex authors, as they have now shown up three new versions of the malware that’s capable of bypassing the core security embedded in credit cards. As Kaspersky researchers reported, the new version of Prilex malware can generate EMV (Europay, MasterCard, and Visa) cryptograms to create GHOST transactions!
Introduced by VISA in 2019, EVM is a transaction validation system for better detection and blocking of payment fraud. Its cryptogram is an encrypted message between the card and the POS reader containing transaction details.
“In GHOST attacks performed by the newer versions of Prilex, it requests new EMV cryptograms after capturing the transaction,” to be used in fraudulent transactions, said Kaspersky researchers.
The campaign begins with an impersonating technician sending a phishing email to a PoS vendor, alleging that the company needs to update its PoS software. When allowed, the team sends a fake technician to the target’s premises to install a malicious upgrade on their PoS terminals.
Alternatively, the impersonating gang also asks the vendors to install AnyDesk to update their PoS terminals remotely. When done (installed Prilex), they get to control the terminals remotely and steal data as they like. The updated Prilex malware contains a backdoor that supports file actions, command execution, process termination, registry modification, and screen capturing.
Further, a stealer module to snoop on the communications between the PIN pad and the PoS software, and even modify transactions, capture card information, and request new EMV cryptograms from the card. And lastly, an uploader sends all the captured data to the hacker’s C2 via the HTTP POST requests.
Until then, the captured information is saved in encrypted form locally on the compromised computer. This hack is bad for not just the vendors but for the customers using their cards against those infected terminals too.