In 2014, Prilex was a type of malware that targeted ATMs. It switched to PoS (point of sale) devices in 2016, but it wasn't until 2020 that the malware reached its peak. After that, it faded away in 2021.
Analysts at Kaspersky say that Prilex is back, and it looks like a more advanced and dangerous version of the malware has resurfaced this time. The latest version of this malware can create EMV (Europay, MasterCard, and Visa) cryptograms, which VISA introduced as a transaction validation system to help find and stop payment fraud.
The Kaspersky report explains that it lets threat actors use EMV cryptograms to do "GHOST transactions" with credit cards protected by CHIP and PIN technology.
The infection starts when a spear phishing email pretending to be from a technician from a PoS vendor says that the company needs to update its PoS software. Next, the fake technician goes to the target's location and installs a malicious upgrade on the PoS terminals. The attackers could also tell the victim to install the AnyDesk remote access tool on their computer and then use it to replace the PoS firmware with a version that has been tampered with.
After the machine is infected, the operators will check to see if the target does enough financial transactions to be worth their time.
The new version of Prilex has a backdoor for communication. The backdoor can do many different things, like open files, run commands, end processes, change the registry, and record the screen. Once the information is encrypted and saved locally on the infected computer, the malware sends periodic requests to the control server.
Kaspersky concluded that the Prilex group knows a lot about how credit and debit card transactions work and how software used for payment processing works. This knowledge allows attackers to keep updating their tools until they find a way to get around the authorization policies and carry out their attacks.