Security researchers from Trend Micro recently discovered a strain of ATM malware dubbed PRILEX that was involved in targeted attacks in Brazil.
PRILEX is written in Visual Basic 6.0 (VB6), it was specifically designed to hijack a banking application and steal information from ATM users.
he first PRILEX attack was spotted in October 2017 by Kaspersky Lab, but the analysis conducted by Trend Micro revealed very atypical behavior. The ATM malware works by hooking certain dynamic-link libraries (DLLs), replacing it with its own application screens on top of others. These DLLs targeted by the malicious code are:
Further investigation allowed the researcher to determine that the DLLs belong to the ATM application of a bank in Brazil.
The atypical behavior along with the fact that the malware only affects a specific brand of ATMs, suggests the malware was designed for high-targeted attacks.
Once infected an ATM, the PRILEX malware starts interfering with the banking application, it displays its own fake screen requesting the user to provide their account security code. The code is delivered to the user as part of a two-factor authentication process and the malware captures and stores it.
One of the aspects that caught the attention of the researchers is that the ATM malware tries to send data back to a C&C server, a behavior very uncommon for ATM malware. It is likely that this bank’s ATMs are connected and the attackers seem to be very familiar with these specific machines.
“In our analysis of the code, we noticed something interesting that happens at some point after it steals data: The malware tries to communicate with a remote command-and-control (C&C) server and upload both credit card data and the account security code.” reads the analysis published by Trend Micro.
“To our knowledge, this is the first ATM malware that assumes it is connected to the internet. It is likely that this bank’s ATMs are connected, since the attackers seem to be very familiar with this particular bank’s methods and processes.”
Another element that makes this attack singular is that attackers aim to steal user information instead of jackpotting the ATM, a circumstance that suggests the criminal gang behind the attack deals with bulk credit card credentials.
“There is something more important to be learned from Prilex, though. Any bank is subject to have their methods and processes analyzed by criminals and then later abused with highly targeted attacks. It’s concerning, and something that is worth looking into if you’re trying to defend your ATM infrastructure. Jackpotting attacks are very notorious, but a silent attack like this can go unnoticed for months, if not years.” continues the analysis.
“A targeted malware likely took significant time and resources to develop. This shows that in today’s world, criminals consider that a worthwhile investment.”
The researchers at Trend Micro also analyzed the recently discovered CUTLET MAKER ATM malware that was offered for sale on the Dark Web for around $5000.
The crimeware kit was discovered in October by Kaspersky, it is designed to target various Wincor Nixdorf ATM models using a vendor API, without interacting with ATM users and their data.
However, it seems that competitors have already managed to crack its code, allowing anyone to use it for free.
“Careful examination reveals that the license code is not time-based, it’s just an algorithm. This is a fancy way of saying that the same input would yield the same output. Some other criminal realized this and, at some point, created a standalone program that’s similar to a classic key generator or ‘keygen’ that automatically calculates the return code.” reads the analysis.
“The code is available on the internet and relatively easy to find. This means that anybody can start victimizing ATMs without having to pay for the program—or at least ATMs with an accessible USB port.”
Other crooks have started selling the malware along with the keygen for much lower prices compared to the original. Till now, the legitimate author hasn’t released a new version to solve the problem.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(Security Affairs – PRILEX, ATM malware)