Prilex Group is back: malware collects bank card data to carry out scams

By Caique Barqueta: Brazil is among the countries that suffer the most cyber attacks in the world, a scenario that has worsened after the pandemic and the global moment related to the armed conflict between Ukraine and Russia.

Being up to date on the main threats in Brazil is becoming increasingly important and can allow you to stay one step ahead of potential attacks, as well as acting more quickly and efficiently in order to detect these threats and avoid impacts and incidents that could result in damage and loss.

Below, we list the most recurrent cyber threats identified by ISH's Intelligence team, Heimdall.  

Cobalt Strike

We detected 1768 servers making malicious use of Cobalt Strike. They use a toolkit that allows attackers to implant "beacons" in compromised devices to carry out remote network surveillance or execute commands.

Below, you can see the distribution on the map:

Figure 1 - Cobalt Strike distribution

SSH Brute Force

In the same period, we detected 2180 threats of the type SSH Brute Force. SSH is used for remote logins, command execution, file transfers and more. The SSH brute force attack is carried out by a threat agent that tries to log in with a common username and password on several servers, until it has obtained a positive result.  

Below, you can see the distribution on the map:

Figure 2 - SSH Brute Force distribution

IP addresses

Another main trace that threat actors leave behind and help identify is the IP address, which is considered very valuable information for tracking and studying threat actors in order to protect themselves from the domain and IP address considered malicious.

ISH collects and analyzes the malicious activity of these main offenders on a daily basis according to the printout below, where from 01/10 to 01/11 we collected and analyzed 52,667 malicious IP addresses that were promptly shared with customers via MISP.  

Figure 3 - Geolocation of malicious IP addresses handled by the GTI
Figure 4 - MISP event related to malicious IP addresses

After presenting the main threats, vulnerabilities and malicious addresses, we at ISH are going to talk about yet another threat that has returned, this time as post-payment malware: Prilex.

Prilex malware

The threat actors known as Prilex have been active since mid-2014, whose malicious samples and artifacts were aimed at carrying out credit card fraud. However, in 2016, a campaign targeting ATMs was identified and linked here in Brazil.

In 2017, this threat actor changed its ATM attacks to attacks on Point of Sale (PoS) devices, i.e. the machines used to receive payments via credit and debit cards.  

Top stories

The agents' first identified campaign was in 2014, when they hit hundreds of ATMs across Brazil. The agents used a blackbox device configured with a 4G USB modem to remotely control the machine. This black box was physically attached to the ATM and its real purpose was to serve as a backdoor in order to hijack the machine's wireless connection and target other ATMs that were on the same network segment.

In 2017, another campaign was identified, this time not at ATMs, but at point-of-sale systems. The agents intercepted transactions in order to capture the cryptogram used in the EMV transaction and carry out a replay attack. The malware was able to capture Track 2 data and card details which were then forwarded to the group's C2 servers.

In mid-July 2020, another campaign by the group was spotted aimed at supplying the malicious POS software to other malicious actors, who bought the malware and used it as a kind of MaaS(Malware-as-a-Service).

How the group operates

With regard to Prilex's modus operandi for ATM-type devices, the use of a "blackbox" connected to the network was identified, which allowed the attacker to install the malware on the computers remotely. In this type of attack, the agents knew the administrator's login credentials, suggesting a possible "insider" within the affected financial institutions.

With the new attack method, using post-payment(PoS) malware, the malicious agents contact the companies using a particular service claiming to be software support and ask the victims to install a critical update on the system.

The installed update is a remote connection/administration software, such as Team Viewer or AnyDesk, aiding the malicious agent's ability to remotely control the system.

They then use the hooking functions used by the software responsible for managing card transactions to capture and modify the data being transferred between the software and the pinpad. This type of attack has two versions with different fraud methods:

  • Collect the transaction cryptogram to carry out replay attacks.
  • Generate new card cryptograms that will later be used by attackers.
Figure 5 - Example of a PoS malware attack

The affiliates of this threat agent, after collecting the information, receive the information through an application tool called "Daphne", used to clone cards, and receive access to a database containing card numbers.

The threat actors have a website to sell the malware on the Deep Web, as shown in the image below.

Figure 6 - Prilex portal on the Tor network

In the description of the malware offered by the group, they claim that the one developed by the agents can clone cards, which can be used for cash withdrawals and various purchases.

Another type of threat disseminated by the group is the sale of compromised POS machines, i.e. those used to read credit and debit cards by means of "shimmers", which are inserted into the machines. They have a built-in microchip that ends up stealing and storing credit and debit card data every time a person uses their card to make a payment or withdraw money.

The data from the card chip is stored in the device and then sent directly via SMS, so it can be controlled remotely.

DDoS attack service

The Prilex threat agent also offers on its website the availability and sale of DDoS attack services, i.e. the user can buy the order of DDoS (Distributed Denial of Service) attacks, where it is necessary to contact the agents in order to use the service.

How POS devices work

A POS device is connected to a computer - which can be an ordinary computer or one with a POS-specific operating system - and has POS software installed on it, which can be from the vendor who created the device. The machine's software can read the information from the payment card swiped at the POS device, extracting information such as the card number, expiry date and so on, and can even validate the card by connecting to the payment processing server.

This means that information is stored on our payment cards in a specific way. The payment card has a magnetic strip divided into three: 1, 2 and 3. These strips contain various types of information, such as the main account number, the cardholder's name, the expiry date and other data needed to make the payment.  

For example, track 1 of the card has the format illustrated below:

For a better understanding, we have created a table so that you can identify the data passed on:

%Indicates the start of track 1.
BIndicates credit or debit card
PNIndicates the primary account number (PCN) and can contain up to 19 digits.
^Separator
LNIndicates the holder's surname
\Separator
FNIndicates the name of the owner
^Separator
YYMMIndicates the card's expiration date in year and date format
SCService code
DDDiscretionary data
?Indicates the end of track 1

The track data should appear as follows: %B12345678901234^ULTIMONOME/PRIMEIRONOME^2203111001000111000000789000000?

With this, the POS software can read this information from the card that is swiped in the device and store the information in its virtual memory. It then uses this information stored in memory to carry out the payment process, which includes authentication followed by the transaction.

Indicators of commitment

Md5
23b5740cc655de46d5f46ffdb78a9da0
7ab092ea240430f45264b5dcbd350156
64464d5e9049375a8417497f387b73d7
5aba9e5407ce6e84d17aaf922a70e747
d130ef499a395a0cc53d750c2955a075
34fb450417471eba939057e903b25523
26dcd3aa4918d4b7438e8c0ebd9e1cfd
f5ff2992bdb1979642599ee54cfbc3d3
af063af98b5332792d8e611b239533e1
7ae9043778fee965af4f8b66721bdfab
ba3554dcce534ce15f88543fb864b4c2
5387f11dbc06260049a1a92d1912a160
1432980adc8c6b268a3c50803dbe295a
37894433ba79853954d3f5f1209dd1a         
f9d5f011ac902d1eef129f3f6253147c
22dc6744cf0f0a361e5ed81f2f9f4712
570a09a349345fd6f2e615b9f3294b1
ac6d36647b90d7b4f9c3835620e1e0ae
92ce37c9d99bca5e3882027757f75c22
17c010884dc1b2b16446a2ed42c89ed5
SHA1
ba8fefbe6963f108fd331f25a9ca98d9026412b9
7fb775e50b2b9e0b6de4cb490bdf03881abe9260
927225fec81ac77265945e612c19428ac49070e7
f617627412d1225b62ceb0f0f518ce8bed0a96cc
1bf7777bb8fe517cc438d30a3c9c86980ac09517
9902e8e7adae0a1100d24f7ed6e609fad3ad0dcf
4493eb7428384c62611a7ca5cc5d5a378926c169
872397b3ac67821b1aa23cf6b4efaf9115b2d715
48cefb85cf40fbeb6ea11aeacd184bbeb23ee5f8
167375e0eb4ef26ca642ace014d2ad18c26eca1f
0067866ecd10cec791fa4b1af52e84825e5456cb
e47c2748f1d5a5410d184d8588e1027613fb2e45
SHA256
669bc5b9995b1cd76e5fb59925158c25c8da7ab9b6a5650088757ad5d730b223
0cf96b659642809cc968e491622becfa5e7e4f8f623b9bc27ad3f9241cb4ff35
90739b847406e362f73d49e48b8bf366276eea2ec750aa535b6ab6f3fadff294
b3af54f8ea2e08f9ef4069fa4f87f22960cbb84519a1a86487acb82214f0995a
605481bd2e37f0212637653273d866a3c47ee72cfde7207d915ffe6e5093b28e
5cc18fa2204e0bee1f70b53af1fabe03ecce2b2b5e8baecb6fcfc76d2e8395c7
a1ee1a386472493735f772e87e31c44bbacc058d37faade1a8ded4e2abb83939
36e1bde1c7e2acca43895799ec23e8a13cffa0dd52d0c72e888926971f2f2476
7e44f74993781edc47017a243be7bbe1ab3439f37760e50db29788f5646fcb57
cb74e08d23c70dde7f6efebfee49563e569ccfff1541c9d5d96842fc8e8926b3
5eff328e4227ffdddf1f018b56fc3d8d8d65fbfcddb60fa52aa523f160b739dd
92e9ee53617b649dc3d1f57183b727f0274607f17e372b4fe5d5880c587eaa66
IP addresses and URLs
daphne.ddns.com.br
daphne1.ddns.com.br
daphne2.ddns.com.br
daphne1.sytes.net
daphne2.sytes.net
newbackup3.sytes.net
newtefssh.sytes.net
prdxtefwork.sytes.net
samsystem.ddnsking.com
prdxboss3.ddns.net
prdxboss2.ddns.net
prdxboss1.ddns.net
prdxboss1.chickenkiller.com
newtefssh.sytes.net
newbackup3.sytes.net
http://prdxboss1.chickenkiller.com:10003
olddossys.mooo.com
prdxboss1.chickenkiller.com

Identifying POS attacks

After describing more about the Prilex threat agent, there are some measures that can be used and adopted to identify post-payment malware.

Malware can be identified by the set of APIs it uses, and this can be obtained through dynamic analysis of malicious artifacts. When running, malware scans the memory of the POS software process, for which it must first search the system.

The API functions used by most POS malware use the functions:

  • CreateToolhelp32Snapshot
  • Process32FirstW
  • Process32NextW
  • NtOpenProcess
  • ReadProcessMemory

In your API logs, you can see continuous calls to ReadProcessMemory after the NTOpenProcess. This is because the memory blocks are read sequentially and then scanned for the credit and debit card number, as for example in the following calls:

ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00010000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00020000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x0012D000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00140000)

Finally, we can see the importance of monitoring the environment, especially in order to identify new threats. For this reason, ISH is committed every day to monitoring threats and the main threat groups and analyzing the malicious artifacts used.

Threat agents for POS attacks

We've listed some of the main malware families that target POS attacks, i.e. post-payment attacks, including a summary of their activities and identification tips.

  • Constantine: A backdoor used to manage infected machines and debug the malware in the event of a problem. This backdoor has been in use since the first campaigns targeting ATMs.
  • PrilexATM: The main module used to dispense money from infected ATMs. To do this, it uses three specific libraries(P32disp0.dll, P32mmd.dll and P32afd.dl).
  • Logus: A stealer-type malware designed to intercept and collect information between the payment device and the software to capture card information.
  • Ghost: A variant of Stealer Logs, this version asks the card for new valid encryptions instead of reusing the original as a replay attack.
  • SendKernel/SendCab: An upload module used to upload the stolen information to the operator's server.

References:

Leave a comment

Your e-mail address will not be published. Required fields are marked with *