Prilex - Brazilian Hacker Group Targeting ATMs

Prilex - Brazilian Hacker Group Targeting ATMs.

The threat actor named after the Malware, built from scratch using insider information about "Automated Teller Machines" and its network. First spotted in the wild 2014, the group began by patching legitimate software.

"Besides its capability to perform a jackpot, the malware was also capable of capturing information from magnetic strips on credit and debit cards inserted into the infected ATMs."

The largest heist in history:

The group was behind one of the largest heists on one banks ATMs in Brazil, infecting and jackpotting over one thousand machines, while also cloning 28,000 credit cards that were used in these ATMs before their heist during the carnival in 2016.

"These are criminals with extensive knowledge of the payment market, and EFT software and protocols. They quickly adopted the malware-as-a-service model and expanded their reach abroad, creating a toolset that included backdoors, uploaders and stealers in a modular fashion."

"The Prilex PoS malware evolved out of a simple memory scraper into very advanced and complex malware, dealing directly with the PIN pad hardware protocol instead of using higher level APIs, doing real-time patching in target software, hooking operating system libraries, messing with replies, communications and ports, and switching from a replay-based attack to generate cryptograms for its GHOST transactions even from credit cards protected with CHIP and PIN technology." Kaspersky says.

No physical access:

The hackers didn't have any physical acces to the ATMs, but were able to use a DIY device containing a 4G router and a Raspberry PI to access the banks network.

By opening a backdoor, they were able to hijack the banks wireless connection and target the ATMs.

After that the hackers, decided to switch their focus from ATMs to PoS systems instead.

It would come as no surprise the ATMs were running Windows and since Brazil is the third largest market for ATMs, the attack surface is pretty big.

Prilex has evolved out of ATM-focused malware into modular point-of-sale malware targeting payment systems developed by Brazilian vendors, so-called EFT/TEF software.

The group was active until 2021, then disappeared for one year, just to appear again in 2022 with three new variants of their Malware written in Visual Basic.

Created by Microsoft, Visual Basic language was intended to be relatively easy to learn and use programming language.

While considered a non-professional programming language, it obviously works well for this group.

A relaxed view on databreaches:

However, regarding databreaches, most Brazilians I know seem to have a very relaxed view on their data being sold off and used. Some that I have confirmed with, were leaked in the MTE databreach 2021. Told me, "well if it leaked, then its leaked".

Besides this, I have noticed many LAN-Houses still using WindowsXP/7 and the Brazilians using these computers are leaving their data on these computers, it is amazing that hackers haven't yet discovered the trove of data available in a LAN-House computer.

Or perhaps some have....