Context
Prilex has been active since at least 2014 and evolved from an automated teller machine (ATM) malware into a POS malware in 2016, primarily targeting Brazilian and South American retailers. In 2022, the malware evolved further, conducting fraudulent “GHOST transactions” using EMV cryptograms generated by payment cards during the payment process.
In previous cases, the threat actors behind Prilex used phone-based social engineering techniques for initial access, posing as technical support vendors, then installing Prilex on compromised hosts after being granted access.
Technical Analysis
According to Kaspersky researchers, “Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions.” Researchers assess that this capability is intended to force the target to use their physical card into the reader so the malware can capture payment data.
Kaspersky did not provide public indicators of compromise (IOCs) for the newly discovered versions.
Community Impact
In May 2021 and February 2022, unspecified US retailers reported the Prilex malware targeting their systems. The expansion of the malware into the US indicates that over time, Prilex could potentially become a more prevalent threat to POS-operating organizations with operations in the US.
