Prilex POS Malware Targeting Contactless Credit Card Transactions

Kaspersky researchers disclosed three new versions of the Prilex point of sale (POS) malware that includes the capability to block contactless payment transactions. According to Kaspersky, the three versions have been active in the wild since at least November 2022.
Contactless credit card transaction

Context

Prilex has been active since at least 2014 and evolved from an automated teller machine (ATM) malware into a POS malware in 2016, primarily targeting Brazilian and South American retailers. In 2022, the malware evolved further, conducting fraudulent “GHOST transactions” using EMV cryptograms generated by payment cards during the payment process.

In previous cases, the threat actors behind Prilex used phone-based social engineering techniques for initial access, posing as technical support vendors, then installing Prilex on compromised hosts after being granted access.

Technical Analysis

According to Kaspersky researchers, “Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions.” Researchers assess that this capability is intended to force the target to use their physical card into the reader so the malware can capture payment data.

Kaspersky did not provide public indicators of compromise (IOCs) for the newly discovered versions.

Community Impact

In May 2021 and February 2022, unspecified US retailers reported the Prilex malware targeting their systems. The expansion of the malware into the US indicates that over time, Prilex could potentially become a more prevalent threat to POS-operating organizations with operations in the US.

 

More Recent Blog Posts