By Caique Barqueta: Brazil is among the countries that suffer the most cyber attacks in the world, a scenario that has worsened after the pandemic and the global moment related to the armed conflict between Ukraine and Russia.
Being up to date on the main threats in Brazil is becoming increasingly important and can allow you to stay one step ahead of potential attacks, as well as acting more quickly and efficiently in order to detect these threats and avoid impacts and incidents that could result in damage and loss.
Below, we list the most recurrent cyber threats identified by ISH's Intelligence team, Heimdall.
Cobalt Strike
We detected 1768 servers making malicious use of Cobalt Strike. They use a toolkit that allows attackers to implant "beacons" in compromised devices to carry out remote network surveillance or execute commands.
Below, you can see the distribution on the map:
SSH Brute Force
In the same period, we detected 2180 threats of the type SSH Brute Force. SSH is used for remote logins, command execution, file transfers and more. The SSH brute force attack is carried out by a threat agent that tries to log in with a common username and password on several servers, until it has obtained a positive result.
Below, you can see the distribution on the map:
IP addresses
Another main trace that threat actors leave behind and help identify is the IP address, which is considered very valuable information for tracking and studying threat actors in order to protect themselves from the domain and IP address considered malicious.
ISH collects and analyzes the malicious activity of these main offenders on a daily basis according to the printout below, where from 01/10 to 01/11 we collected and analyzed 52,667 malicious IP addresses that were promptly shared with customers via MISP.
After presenting the main threats, vulnerabilities and malicious addresses, we at ISH are going to talk about yet another threat that has returned, this time as post-payment malware: Prilex.
Prilex malware
The threat actors known as Prilex have been active since mid-2014, whose malicious samples and artifacts were aimed at carrying out credit card fraud. However, in 2016, a campaign targeting ATMs was identified and linked here in Brazil.
In 2017, this threat actor changed its ATM attacks to attacks on Point of Sale (PoS) devices, i.e. the machines used to receive payments via credit and debit cards.
Top stories
The agents' first identified campaign was in 2014, when they hit hundreds of ATMs across Brazil. The agents used a blackbox device configured with a 4G USB modem to remotely control the machine. This black box was physically attached to the ATM and its real purpose was to serve as a backdoor in order to hijack the machine's wireless connection and target other ATMs that were on the same network segment.
In 2017, another campaign was identified, this time not at ATMs, but at point-of-sale systems. The agents intercepted transactions in order to capture the cryptogram used in the EMV transaction and carry out a replay attack. The malware was able to capture Track 2 data and card details which were then forwarded to the group's C2 servers.
In mid-July 2020, another campaign by the group was spotted aimed at supplying the malicious POS software to other malicious actors, who bought the malware and used it as a kind of MaaS(Malware-as-a-Service).
How the group operates
With regard to Prilex's modus operandi for ATM-type devices, the use of a "blackbox" connected to the network was identified, which allowed the attacker to install the malware on the computers remotely. In this type of attack, the agents knew the administrator's login credentials, suggesting a possible "insider" within the affected financial institutions.
With the new attack method, using post-payment(PoS) malware, the malicious agents contact the companies using a particular service claiming to be software support and ask the victims to install a critical update on the system.
The installed update is a remote connection/administration software, such as Team Viewer or AnyDesk, aiding the malicious agent's ability to remotely control the system.
They then use the hooking functions used by the software responsible for managing card transactions to capture and modify the data being transferred between the software and the pinpad. This type of attack has two versions with different fraud methods:
- Collect the transaction cryptogram to carry out replay attacks.
- Generate new card cryptograms that will later be used by attackers.
The affiliates of this threat agent, after collecting the information, receive the information through an application tool called "Daphne", used to clone cards, and receive access to a database containing card numbers.
The threat actors have a website to sell the malware on the Deep Web, as shown in the image below.
In the description of the malware offered by the group, they claim that the one developed by the agents can clone cards, which can be used for cash withdrawals and various purchases.
Another type of threat disseminated by the group is the sale of compromised POS machines, i.e. those used to read credit and debit cards by means of "shimmers", which are inserted into the machines. They have a built-in microchip that ends up stealing and storing credit and debit card data every time a person uses their card to make a payment or withdraw money.
The data from the card chip is stored in the device and then sent directly via SMS, so it can be controlled remotely.
DDoS attack service
The Prilex threat agent also offers on its website the availability and sale of DDoS attack services, i.e. the user can buy the order of DDoS (Distributed Denial of Service) attacks, where it is necessary to contact the agents in order to use the service.
How POS devices work
A POS device is connected to a computer - which can be an ordinary computer or one with a POS-specific operating system - and has POS software installed on it, which can be from the vendor who created the device. The machine's software can read the information from the payment card swiped at the POS device, extracting information such as the card number, expiry date and so on, and can even validate the card by connecting to the payment processing server.
This means that information is stored on our payment cards in a specific way. The payment card has a magnetic strip divided into three: 1, 2 and 3. These strips contain various types of information, such as the main account number, the cardholder's name, the expiry date and other data needed to make the payment.
For example, track 1 of the card has the format illustrated below:
For a better understanding, we have created a table so that you can identify the data passed on:
% | Indicates the start of track 1. |
B | Indicates credit or debit card |
PN | Indicates the primary account number (PCN) and can contain up to 19 digits. |
^ | Separator |
LN | Indicates the holder's surname |
\ | Separator |
FN | Indicates the name of the owner |
^ | Separator |
YYMM | Indicates the card's expiration date in year and date format |
SC | Service code |
DD | Discretionary data |
? | Indicates the end of track 1 |
The track data should appear as follows: %B12345678901234^ULTIMONOME/PRIMEIRONOME^2203111001000111000000789000000?
With this, the POS software can read this information from the card that is swiped in the device and store the information in its virtual memory. It then uses this information stored in memory to carry out the payment process, which includes authentication followed by the transaction.
Indicators of commitment
Md5 |
23b5740cc655de46d5f46ffdb78a9da0 |
7ab092ea240430f45264b5dcbd350156 |
64464d5e9049375a8417497f387b73d7 |
5aba9e5407ce6e84d17aaf922a70e747 |
d130ef499a395a0cc53d750c2955a075 |
34fb450417471eba939057e903b25523 |
26dcd3aa4918d4b7438e8c0ebd9e1cfd |
f5ff2992bdb1979642599ee54cfbc3d3 |
af063af98b5332792d8e611b239533e1 |
7ae9043778fee965af4f8b66721bdfab |
ba3554dcce534ce15f88543fb864b4c2 |
5387f11dbc06260049a1a92d1912a160 |
1432980adc8c6b268a3c50803dbe295a |
37894433ba79853954d3f5f1209dd1a |
f9d5f011ac902d1eef129f3f6253147c |
22dc6744cf0f0a361e5ed81f2f9f4712 |
570a09a349345fd6f2e615b9f3294b1 |
ac6d36647b90d7b4f9c3835620e1e0ae |
92ce37c9d99bca5e3882027757f75c22 |
17c010884dc1b2b16446a2ed42c89ed5 |
SHA1 |
ba8fefbe6963f108fd331f25a9ca98d9026412b9 |
7fb775e50b2b9e0b6de4cb490bdf03881abe9260 |
927225fec81ac77265945e612c19428ac49070e7 |
f617627412d1225b62ceb0f0f518ce8bed0a96cc |
1bf7777bb8fe517cc438d30a3c9c86980ac09517 |
9902e8e7adae0a1100d24f7ed6e609fad3ad0dcf |
4493eb7428384c62611a7ca5cc5d5a378926c169 |
872397b3ac67821b1aa23cf6b4efaf9115b2d715 |
48cefb85cf40fbeb6ea11aeacd184bbeb23ee5f8 |
167375e0eb4ef26ca642ace014d2ad18c26eca1f |
0067866ecd10cec791fa4b1af52e84825e5456cb |
e47c2748f1d5a5410d184d8588e1027613fb2e45 |
SHA256 |
669bc5b9995b1cd76e5fb59925158c25c8da7ab9b6a5650088757ad5d730b223 |
0cf96b659642809cc968e491622becfa5e7e4f8f623b9bc27ad3f9241cb4ff35 |
90739b847406e362f73d49e48b8bf366276eea2ec750aa535b6ab6f3fadff294 |
b3af54f8ea2e08f9ef4069fa4f87f22960cbb84519a1a86487acb82214f0995a |
605481bd2e37f0212637653273d866a3c47ee72cfde7207d915ffe6e5093b28e |
5cc18fa2204e0bee1f70b53af1fabe03ecce2b2b5e8baecb6fcfc76d2e8395c7 |
a1ee1a386472493735f772e87e31c44bbacc058d37faade1a8ded4e2abb83939 |
36e1bde1c7e2acca43895799ec23e8a13cffa0dd52d0c72e888926971f2f2476 |
7e44f74993781edc47017a243be7bbe1ab3439f37760e50db29788f5646fcb57 |
cb74e08d23c70dde7f6efebfee49563e569ccfff1541c9d5d96842fc8e8926b3 |
5eff328e4227ffdddf1f018b56fc3d8d8d65fbfcddb60fa52aa523f160b739dd |
92e9ee53617b649dc3d1f57183b727f0274607f17e372b4fe5d5880c587eaa66 |
IP addresses and URLs |
daphne.ddns.com.br |
daphne1.ddns.com.br |
daphne2.ddns.com.br |
daphne1.sytes.net |
daphne2.sytes.net |
newbackup3.sytes.net |
newtefssh.sytes.net |
prdxtefwork.sytes.net |
samsystem.ddnsking.com |
prdxboss3.ddns.net |
prdxboss2.ddns.net |
prdxboss1.ddns.net |
prdxboss1.chickenkiller.com |
newtefssh.sytes.net |
newbackup3.sytes.net |
http://prdxboss1.chickenkiller.com:10003 |
olddossys.mooo.com |
prdxboss1.chickenkiller.com |
Identifying POS attacks
After describing more about the Prilex threat agent, there are some measures that can be used and adopted to identify post-payment malware.
Malware can be identified by the set of APIs it uses, and this can be obtained through dynamic analysis of malicious artifacts. When running, malware scans the memory of the POS software process, for which it must first search the system.
The API functions used by most POS malware use the functions:
- CreateToolhelp32Snapshot
- Process32FirstW
- Process32NextW
- NtOpenProcess
- ReadProcessMemory
In your API logs, you can see continuous calls to ReadProcessMemory after the NTOpenProcess. This is because the memory blocks are read sequentially and then scanned for the credit and debit card number, as for example in the following calls:
ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00010000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00020000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x0012D000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00140000)
Finally, we can see the importance of monitoring the environment, especially in order to identify new threats. For this reason, ISH is committed every day to monitoring threats and the main threat groups and analyzing the malicious artifacts used.
Threat agents for POS attacks
We've listed some of the main malware families that target POS attacks, i.e. post-payment attacks, including a summary of their activities and identification tips.
- Constantine: A backdoor used to manage infected machines and debug the malware in the event of a problem. This backdoor has been in use since the first campaigns targeting ATMs.
- PrilexATM: The main module used to dispense money from infected ATMs. To do this, it uses three specific libraries(P32disp0.dll, P32mmd.dll and P32afd.dl).
- Logus: A stealer-type malware designed to intercept and collect information between the payment device and the software to capture card information.
- Ghost: A variant of Stealer Logs, this version asks the card for new valid encryptions instead of reusing the original as a replay attack.
- SendKernel/SendCab: An upload module used to upload the stolen information to the operator's server.
References:
- Heimdall by ISH Tecnologia
- Material from the person responsible for the bulletin, Caique Barqueta
- The return of Prilex - Point of Sale systems under attack - Kaspersky Lab
- https://securityaffairs.co/wordpress/137608/malware/pos-malware-stolen-card-data.html
- https://sensorstechforum.com/prilex-pos-malware-2022-attacks/