Viry a Červi

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

Sophos Naked Security - 1 Říjen, 2022 - 16:05
Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

Gone in a day: Ethical hackers say it would take mere hours to empty your network

The Register - Anti-Virus - 1 Říjen, 2022 - 11:57
300 red teamers walk into a bar…

Once they've broken into an IT environment, most intruders need less than five hours to collect and steal sensitive data, according to a SANS Institute survey of more than 300 ethical hackers. …

Kategorie: Viry a Červi

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

Sophos Naked Security - 30 Září, 2022 - 15:25
Double-play 0-day in Exchange - what you need to know, and what you can do

Microsoft warns of North Korean crew posing as LinkedIn recruiters

The Register - Anti-Virus - 30 Září, 2022 - 07:53
State-sponsored ZINC allegedly passes on malware-laden open source apps

Microsoft has claimed a North Korean crew poses as LinkedIn recruiters to distribute poisoned versions of open source software packages.…

Kategorie: Viry a Červi

Stop us if you've heard this one before: Exchange Server zero-days actively exploited

The Register - Anti-Virus - 30 Září, 2022 - 05:03
Remember this next time Microsoft talks about how seriously it takes security

Updated  Infosec experts have warned zero-day flaws in Microsoft’s Exchange server are being actively exploited.…

Kategorie: Viry a Červi

Ex-eBay execs jailed for cyberstalking web critics

The Register - Anti-Virus - 30 Září, 2022 - 02:58
Still to come: Civil RICO lawsuit against e-souk and former top brass

Two now-former eBay executives who pleaded guilty to cyberstalking charges this year have been sent down and fined tens of thousands of dollars.…

Kategorie: Viry a Červi

How CIA betrayed informants with shoddy front websites built for covert comms

The Register - Anti-Virus - 30 Září, 2022 - 01:03
Top tip, don't give your secret login box the HTML form type 'password'

For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities.…

Kategorie: Viry a Červi

Pentagon is far too tight with its security bug bounties

The Register - Anti-Virus - 29 Září, 2022 - 23:27
But overpriced, useless fighter jets? That's something we can get behind

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems doesn't carry a high reward.…

Kategorie: Viry a Červi

S3 Ep102: How to avoid a data breach [Audio + Transcript]

Sophos Naked Security - 29 Září, 2022 - 20:45
Latest episode - listen now! Tell fact from fiction in hyped-up cybersecurity news...

Covert malware targets VMware shops for hypervisor-level espionage

The Register - Anti-Virus - 29 Září, 2022 - 15:00
Mandiant tracks back operators, finds ties to China

Emerging covert malware can target VMware environments to allow criminals to gain persistent administrative access to hypervisors, transfer files, and execute arbitrary commands on virtual machines, according to VMware and Mandiant, which discovered such a software nasty in the wild earlier this year.…

Kategorie: Viry a Červi

The secrets of Schneider Electric’s UMAS protocol

Kaspersky Securelist - 29 Září, 2022 - 10:00

UMAS (Unified Messaging Application Services) is a proprietary Schneider Electric (SE) protocol used to configure and monitor Schneider Electric PLCs. Schneider Electric controllers that use UMAS include Modicon M580 CPU (part numbers BMEP* and BMEH*) and Modicon M340 CPU (part numbers BMXP34*). Controllers are configured and programmed using engineering software – EcoStruxure™ Control Expert (Unity Pro), EcoStruxure™ Process Expert, etc.

In 2020, CVE-2020-28212, a vulnerability affecting this software, was reported, which could be exploited by a remote unauthorized attacker to gain control of a PLC with the privileges of an operator already authenticated on the controller. To address the vulnerability, Schneider Electric developed a new mechanism, Application Password, which should provide protection against unauthorized access to PLCs and unwanted modifications.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism also has flaws. The CVE-2021-22779 vulnerability, identified in the course of the research, could allow a remote attacker to make changes to the PLC, bypassing authentication.

It was established that the UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of control systems based on SE controllers.

By mid-August 2022, Schneider Electric had released an update for the EcoStruxure™ Control Expert software, as well as for Modicon M340 and Modicon M580 PLC firmware, that fixes the vulnerability.

This report describes:

  • the implementation of the UMAS protocol that does not use the Application Password security mechanism;
  • authentication bypass if Application Password is not enabled;
  • the principles on which the Application Password security mechanism is based;
  • mechanisms that can be used to exploit the CVE-2021-22779 vulnerability (authentication bypass where Application Password is configured);
  • operating principles of the updated device reservation mechanism.

A detailed report on the research, Schneider Electric measures designed to fix the authentication bypass vulnerability, and Kaspersky ICS CERT recommendations can be found in the full version of the article published on the Kaspersky ICS CERT website.

Object of research

UMAS (Unified Messaging Application Services) is Schneider Electric’s proprietary protocol used to configure, monitor, collect data and control Schneider Electric industrial controllers.

UMAS is based on a client-server architecture. During the research process, we used the EcoStruxure™ Control Expert PLC configuration software as the client part and a Modicon M340 CPU controller as the server part.

UMAS protocol Network packet structure

UMAS is based on the Modbus/TCP protocol.

Structure of the UMAS protocol

Specifications of the Modbus/TCP protocol include reserved Function Code values that developers can use according to their needs. A complete list of reserved values can be found in the official documentation.

Schneider Electric uses Function Code 90 (0x5A) to define that the value in the Data field is UMAS compliant.

The network packet structure is shown below, using a request to read a memory block (pu_ReadMemoryBlock) on the PLC as an example:

  • Red: Function Code 90 (0x5A)
  • Blue: Session Key 0 (0x00)
  • Green: UMAS Function 20 (0x20)
  • Orange: Data

Network packet structure

Each function includes a certain set of information in the Data field, such as offset from the base memory address, size of the data sent, memory block number, etc. For more details on the functions and session key, see the full version of the article.

Network communication

UMAS also inherits the Modbus client-server architecture. A structural diagram of the communication between the client and the server is provided below.

Communication between the client (EcoStruxure™ Control Expert) and server (PLC)

In a UMAS network packet, Function Code 0x5A is immediately followed by the Session Key.

UMAS network packet structure

Let’s examine the communication between a client and a server (a PLC, also referred to as “device” below) by analyzing a real-world traffic fragment. The screenshot below shows a packet containing the function umas_QueryGetComInfo(0x01) sent from the client (EcoStruxure™ Control Expert) to the server (the PLC).

Structure of the function:
TCP DATA – Modbus Header – 0x5A – session – 01(UMAS function code) – 00(data).

Network packet containing the function umas_QueryGetComInfo(0x01)

The device should send a response to each request received. The screenshot below shows the device’s response to the client’s request:

Server response

The status code is the status of the device’s execution of the function sent to it by the client in the previous request. The value “fe” corresponds to successful execution of the function; “fd” indicates an error. The status code is present in each response sent by the device to thecontaining a function. It is always located immediately after the session key.

Reservation procedure

A “reservation” procedure is required to make changes to a PLC. The procedure acts as authentication. Only one client (e.g., an engineering workstation) can reserve a device at any specific time for configuration or status monitoring. This is required to prevent changes from being made to a device in parallel without coordination.

The screenshot below shows a request from the engineering software to the PLC to perform the device reservation procedure in its basic variant that does not use the Application Password security mechanism.

Device reservation

The umas_QueryTakePLCReservation(0x10) function is used to reserve a device. The request containing this function includes the name of the client reserving the device and a value equal to the length of that name.

CVE-2020-28212: authentication bypass without Application Password

The main issue with the basic reservation mechanism that does not use Application Password is that an attacker can use the session key to send requests and change the device’s configuration.

In firmware versions prior to 2.7 for Modicon M340 devices, the session key has the same value each time the device is reserved, and is equal to “0x01”. This means that attackers can make changes on the device by calling the relevant functions after the device has been reserved by a legitimate user.

The attack workflow is shown in the diagram below:

Remote threat actor attack workflow. Modicon M340 firmware prior to version 2.7, device reserved by an engineer

If the device has not been reserved at the time of an attack, the attacker can use the umas_QueryTakePLCReservation(0x10) function to reserve the device in order to make changes to it.

With Modicon M340 firmware version 2.7 or later, the session key takes a random value after device reservation. However, the session key is one byte in length, which means there are only 256 possible session ID values. This enables a remote unauthorized attacker to brute-force an existing ID of a session between a legitimate user and the PLC.

To carry out this type of attack, a remote attacker needs to send a series of network requests on port 502/TCP of the PLC with different session ID values and look at responses returned by the PLC. If the correct session ID was sent, the attacker will get the status code 0xfe, which means the request was fulfilled successfully. Otherwise, the attacker will get the status code 0xfd.

The operations described above can be implemented using any programming language – an attacker does not have to use EcoStruxure™ Control Expert or any other dedicated software to communicate with the device.

Application Password

To mitigate the CVE-2020-28212 vulnerability, exploitation of which could allow a remote unauthorized attacker to gain control of the PLC with the privileges of an operator already authenticated on the PLC, Schneider Electric developed a new security mechanism that used cryptographic algorithms to compute the session ID and increased the session ID length. Schneider Electric believed implementing this security mechanism would prevent brute-force attacks that could be used to crack single-byte session IDs.

The new mechanism was introduced starting with firmware version 3.01 for Modicon M340 devices. To implement authentication between the client and the device, Application Password needs to be enabled in project settings (“Project & Controller Protection”). The mechanism is designed to provide protection against unauthorized access, unwanted changes, as well as unauthorized downloading or uploading of PLC strategies.

After activating the mechanism using EcoStruxure™ Control Expert, the client needs to enter the password when connecting to a device as part of the reservation procedure. Application Password also makes changes to the reservation mechanism itself.

An analysis conducted by Kaspersky ICS CERT experts has shown that the implementation of the new security mechanism was, unfortunately, also flawed. Its main shortcoming is that during the authentication process, all computations are performed on the client side, i.e., on the side of EcoStruxure™ Control Expert engineering software. The vulnerability identified during research, CVE-2021-22779, could allow a remote attacker to bypass authentication and use functions that require reservation to make changes to the PLC.

For more details on the implementation of Application Password and on the security flaws identified by Kaspersky ICS CERT researchers, read the full version of the article published on the Kaspersky ICS CERT website. For more information, you can also contact us at ics-cert@kaspersky.com.

Microsoft to kill off old access rules in Exchange Online

The Register - Anti-Virus - 29 Září, 2022 - 01:34
Awoooogah – this is your one-year warning to switch over, enterprises

Microsoft next month will start phasing out Client Access Rules (CARs) in Exchange Online – and will do away with this means for controlling access altogether within a year.…

Kategorie: Viry a Červi

Matrix chat encryption sunk by five now-patched holes

The Register - Anti-Virus - 28 Září, 2022 - 23:22
You take the green pill, you'll spend six hours in a 'don't roll your own crypto' debate

Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. This includes impersonating users and sending messages as them.…

Kategorie: Viry a Červi

The web's cruising at 13 million new and nefarious domain names a month

The Register - Anti-Virus - 28 Září, 2022 - 22:20
Or so Akamai is dying to tell us

Akamai reckons that, in the first half of 2022 alone, it flagged nearly 79 million newly observed domains (NODs) as malicious.…

Kategorie: Viry a Červi

Optus breach – Aussie telco told it will have to pay to replace IDs

Sophos Naked Security - 28 Září, 2022 - 20:55
Licence compromised? Passport number burned? Need a new one? Who's going to pay?

Want to sneak a RAT into Windows? Buy Quantum Builder on the dark web

The Register - Anti-Virus - 28 Září, 2022 - 19:00
Beware what could be hiding in those LNK shortcuts

A tool sold on the dark web that allows cybercriminals to build malicious shortcuts for delivering malware is being used in a campaign pushing a longtime .NET keylogger and remote access trojan (RAT) named Agent Tesla.…

Kategorie: Viry a Červi

Hacked Fast Company sends 'obscene and racist' alerts via Apple News

The Register - Anti-Virus - 28 Září, 2022 - 18:30
Someone going by 'Thrax' claims responsibility for 'incredibly easy' breach

Apple News shut down Fast Company's news channel after "an incredibly offensive alert" was sent to subscribers following a hack of the business publication on Tuesday evening.…

Kategorie: Viry a Červi

Reducing the risk of human error in cyber security

The Register - Anti-Virus - 28 Září, 2022 - 15:56
Tips on how to turn a potential weakness into a towering strength

Webinar  We all make mistakes. Some happy accidents enhance the way we live. Matches were invented when scientist John Walker was cleaning his laboratory with a wooden stick coated in chemicals and it caught fire. But if you are trying to secure your data, unforced errors are the last thing you need to torch it.…

Kategorie: Viry a Červi

Ever suspected bankers could just use WhatsApp comms? $1.8b says you're right

The Register - Anti-Virus - 28 Září, 2022 - 15:00
Thought shadow IT at your office was bad? Try enforcing workplace device policies on hedge fund traders

Updated  Ever given a colleague a quick Signal call so you can sidestep a monitored workplace app? Well, we'd hope you're not in a highly regulated industry like staff at eleven of the world's most powerful financial firms, who yesterday were fined nearly $2 billion for off-channel comms.…

Kategorie: Viry a Červi

Prilex: the pricey prickle credit card complex

Kaspersky Securelist - 28 Září, 2022 - 10:00

Prilex is a Brazilian threat actor that has evolved out of ATM-focused malware into modular point-of-sale malware. The group was behind one of the largest attacks on ATMs in the country, infecting and jackpotting more than 1,000 machines, while also cloning in excess of 28,000 credit cards that were used in these ATMs before the big heist. But the criminals’ greed had no limits: they wanted more, and so they achieved it.

Active since 2014, in 2016, the group decided to give up ATM malware and focus all of their attacks on PoS systems, targeting the core of the payment industry. These are criminals with extensive knowledge of the payment market, and EFT software and protocols. They quickly adopted the malware-as-a-service model and expanded their reach abroad, creating a toolset that included backdoors, uploaders and stealers in a modular fashion. Since then, we have been tracking the threat actor’s every move, witnessing the damages and great financial losses they brought upon the payments industry.

The Prilex PoS malware evolved out of a simple memory scraper into very advanced and complex malware, dealing directly with the PIN pad hardware protocol instead of using higher level APIs, doing real-time patching in target software, hooking operating system libraries, messing with replies, communications and ports, and switching from a replay-based attack to generate cryptograms for its GHOST transactions even from credit cards protected with CHIP and PIN technology.

It all started with ATMs during a carnival celebration

During the carnival of 2016, a Brazilian bank realized that their ATMs had been hacked, with all the cash contained in those machines stolen. According to reports from law enforcement agencies, the criminals behind the attack were able to infect more than 1,000 machines belonging to one bank in the same incident, which allowed them to clone 28,000 unique credit cards across Brazil.

The attackers did not have physical access to the machines, but they were able to access the bank’s network by using a DIY device containing a 4G router and a Raspberry PI. By opening a backdoor, they were able to hijack the institution’s wireless connection and target ATMs at will. After obtaining initial network access, the attacker would run a network recognition process to find the IP address of each of the ATMs. With that information in hand, the attackers would launch a lateral movement phase, using default Windows credentials and then installing custom-crafted malware in the desired systems. The backdoor would allow the attacker to empty the ATM socket by launching the malware interface and typing a code supplied by the mastermind, the code being specific to each ATM being hacked.

ATM infected with Prilex ready to dispense money

The malware used in the attack was named Prilex and had been developed from scratch by using privileged information and advanced knowledge of the ATM network. To control the ATMs, Prilex did patch in legitimate software for jackpotting purposes. Besides its capability to perform a jackpot, the malware was also capable of capturing information from magnetic strips on credit and debit cards inserted into the infected ATMs. Afterwards, this valuable information could be used to clone cards and steal further funds from the bank’s clients.

Evolving into PoS malware

Prilex has evolved out of ATM-focused malware into modular point-of-sale malware targeting payment systems developed by Brazilian vendors, the so-called EFT/TEF software. As we noted in 2018, there are many similarities between their ATM and PoS versions. Their first PoS malware was spotted in the wild in October 2016. The first two samples had 2010/2011 as the compilation date, as shown on the graph below. However, we believe that invalid compilation dates were set due to incorrect system date and time settings. In later versions, the timestamps corresponded to the times when the samples were discovered. We also noticed that in the 2022 branch, the developers started using Subversion as the version control system.

Versions of the Prilex PoS malware: 3 new versions in 2022 (download)

As we see on the graph, Prilex was highly active in 2020, but suddenly disappeared in 2021, resurfacing in 2022 with a release of three new variants.

The PoS version of Prilex is coded in Visual Basic, but the stealer module, described in this article, is in p-code. In a nutshell, this is an intermediate step between high-level instructions in a Visual Basic program and the low-level native code executed by a CPU. Visual Basic translates p-code statements into native code at runtime.

A link to the past

Prilex is not the only type of PoS malware to originate in Brazil. We saw a weak link with the old Trojan-Spy.Win32.SPSniffer, which we described in 2010: both families are able to intercept signals from PIN pads, but use different approaches in doing so.

PIN pads are equipped with hardware and security features to ensure that security keys are erased if someone tries to tamper with the device. In fact, the PIN is encrypted in the device upon entry using a variety of encryption schemes and symmetric keys. Most often, this is a triple DES encoder, making it hard to crack the PIN.

There is a problem, though: these devices are always connected to a computer via a USB or serial port, which communicates with the EFT software. Older and outdated PIN pad devices use obsolete and weak cryptography schemes, making it easy for malware to install a USB or serial port sniffer to capture and decrypt the traffic between the PIN pad and the infected system. This is how SPSniffer gets credit card data. Sometimes the traffic is not even encrypted.

SPSniffer: serial port sniffer allowing capture of not-encrypted traffic

The main approach used by Prilex for capturing credit card data is to use a patch in the PoS system libraries, allowing the malware to collect data transmitted by the software. The malware will look for the location of a particular set of executables and libraries in order to apply the patch, thus overwriting the original code. With the patch in place, the malware collects the data from TRACK2, such as the account number and expiration date, in addition to other cardholder information needed to perform fraudulent transactions.

Initial infection vector

Prilex is not a widespread type of malware, as it is not distributed through email spam campaigns. It is highly targeted and is usually delivered through social engineering, e.g., a target business may receive a call from a “technician” who insists that the company needs to update its PoS software. The fake technician may visit the target in person or request the victims to install AnyDesk and provide remote access for the “technician” to install the malware.

Warning from a PoS vendor about Prilex social engineering attacks

Messing with the EMV standard

Brazil began migrating to EMV in 1999, and today, nearly all cards issued in the country are chip enabled. A small Java-based application lives inside the chip and can be easily manipulated in order to create a “golden ticket” card that will be valid in most—if not all—point-of-sale systems. This knowledge has enabled the criminals to upgrade their toolset, allowing them to create their own cards featuring this new technology and keeping them “in the business.”

The initial versions of Prilex were capable of performing the “replay attack,” where, rather than breaking the EMV protocol, they instead took advantage of poor implementations. Since payment operators fail to perform some of the validations required by the EMV standard, criminals can exploit this vulnerability within the process to their benefit.

In this kind of attack, fraudsters push regular magnetic stripe transactions through the card network as EMV purchases, as they are in control of a payment terminal and have the ability to manipulate data fields for transactions put through that terminal. Later they switched to capturing traffic from real EMV-based chip card transactions. The thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Brazilian cybercriminals have successfully launched replay attacks since at least 2014. As pointed out by Brian Krebs, a small financial institution in New England battled some $120,000 in fraudulent charges from Brazilian stores within less than two days. The bank managed to block $80,000, but the bank’s processor, which approves incoming transactions when the core systems are offline, let through the other $40,000. All of the fraudulent transactions were debit charges. All of them came across MasterCard’s network and appeared to be chip transactions without a PIN to MasterCard’s systems.

Also worth mentioning is the attack against a German bank in 2019, which registered €1.5 million in losses and used the same technique. The Prilex gang claimed responsibility. Judging by the name fields and the functionality of the tool, they probably used the software they are selling in the black market.

To automate attacks using cloned credit cards, Prilex criminals used tools like Xiello, discovered by our telemetry in 2020. This tool allows the cybercriminals to use credit cards in a batch when making fraudulent purchases. It sends the purchase data to credit card acquirers, who then approve or deny the transactions.

Xiello tool used by Prilex to automate transactions

As the payment industry and credit card issuers fixed EMV implementation errors, replay attacks became obsolete and ineffective, pushing the Prilex gang to innovate and adopt other ways of credit card fraud.

From “Replay” to “Ghost”

The latest versions of Prilex show certain differences to previous ones in the way the attack occurs: the group has switched from the replay attacks to fraudulent transactions using cryptograms generated by the victim card during the in-store payment process, referred to by the malware authors as “GHOST transactions.”

In these attacks, the Prilex samples were installed in the system as RAR SFX executables that extracted all required files to the malware directory and executed the installation scripts (VBS files). From the installed files, we can highlight three modules used in the campaign: a backdoor, which is unchanged in this version except for the C2 servers used for communication; a stealer module; and an uploader module.

Prilex methods of maintaining persistence

The stealer module is responsible for intercepting all communications between the point-of-sale software and the PIN pad used for reading the card during the transaction. Once it identifies a running transaction, the malware will intercept and modify the content of the transaction in order to be able to capture the card information and to request new EMV cryptograms to the victim’s card. These cryptograms are then used in the GHOST transactions.

Method used to parse the PIN pad messages sent/received

In order to target a specific process, the criminals will perform an initial screening of the machine—to check if it is an interesting target with enough credit card transactions and to identify the process they will target.

After the process is identified, the malware will move forward to install the hooks needed to intercept the transaction information. As the communication between the PoS software and the card reader happens through the COM port, the malware will install a hook to many Windows APIs inside the targeted process, aiming to monitor and change data as needed. Interestingly enough, instead of allocating memory to the hook procedure, Prilex finds free space within the modules memory, a technique called code cave, making it hard for some security solutions to detect the threat in an infected system.

Hook code added into CloseHandle process

All captured information from the transaction is saved to an encrypted file placed in a directory previously set by the malware configuration. Those files will later be sent to the malware C2 server, allowing the cybercriminals to make transactions through a fraudulent PoS device registered in the name of a fake company.

Captured credit card data that will be later sent to the operator server

The previous version monitored the transaction in order to get the cryptogram, generated by the card for the original transaction, and then to perform a replay attack using the collected cryptogram. In this case, the cryptogram has the same ATC (Application Transaction Counter), allowing the fraudulent transaction to be identified by the reuse of the ATC as well as the fact that the date inside the cryptogram did not match the date when it was submitted, as the fraudulent transactions were submitted at a later point in time.

In GHOST attacks performed by the newer versions of Prilex, it requests new EMV cryptograms after capturing the transaction. These cryptograms will then be used in a fraudulent transaction through one of the cybercrime tools whose output log can be seen below.

[START GHOST] _ 80CA9F17 | 9F1701039000 | 002000800826435643FFFFFFFF | Check PIN 9000 _| 80AE80001D00000000010000000000000000760000008000098620060600B4E5C6EB -> Generate AC 80128000AA5EA486052A8886DE06050A03A4B8009000 -> Generated ARQC [END GHOST]

The table above shows the data collected from the malware. It contains the Authorization Request Cryptogram (ARQC) that was generated by the card and should now be approved by the card issuer. After dissecting the response (80128000AA5EA486052A8886DE06050A03A4B8009000), we have the following information.

Data Field details 80 12 Size of the response: 18 bytes 80 Cryptogram Information Data: ARQC (Authorization Request Cryptogram): go and ask the issuer 00AA ATC: Application Transaction Counter 5EA486052A8886DE Application Cryptogram 06050A03A4B800 Issuer Application Data 9000 Response OK

Multiple application cryptograms are applied to the card, where the amount of the transaction (blue), ATC (green) and the generated cryptogram (red) change for each transaction.

[START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D00000000010000000000000000760000008000098620060600B4E5C6EB80128000AA5EA486052A8886DE06050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D00000000100000000000000000760000008000098620060600E22CB55580128000AB8E988F00ACEE5D4806050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D0000000020000000000000000076000000800009862006060007EBA76480128000AC5E1E75557CC57E1206050A03A4B8009000
[END GHOST] [START GHOST] 80CA9F179F1701039000002000800826435643FFFFFFFF900080AE80001D000000003000000000000000007600000080000986200606002598491680128000ADCF54C11A58083ADB06050A03A4B8009000
[END GHOST]

In a nutshell, this is the entire Prilex scheme:

Prilex: from infection to cashout

Backdoor module

The backdoor has many commands, and aside from memory scanning common to memory scrappers, older (ATM) Prilex versions also featured a command to debug a process and peek into its memory. It is highly likely that this was used to understand target software behavior and perform adjustments on the malware or environment to perform fraudulent transactions. Older versions of Prilex performed patching on specific software libraries, whereas newer samples do not rely on specific software anymore and will instead hook Windows APIs to perform its job.

The Prilex debugger

Here’s a list of commands used in the ATM version of Prilex, which include debugging:

Reboot, SendKeys, ShowForm, Inject, UnInject, HideForm, Recursos, GetZip, SetStartup, PausaProcesso, LiberaProcesso, Debug, SendSnapShot, GetStartup, CapRegion, CapFerro, KillProcess, Shell, Process, GetModules, GetConfig, StartSendScreen, StopSendScreen, ReLogin, StartScan, GetKey, SetConfig, RefreshScreen, Download, TakeRegions, Enviar Arquivo, ScanProcessStart, ScanProcessStop, StartRegiao, StopRegiao, StartDownload, StopDownload.

Even though a new set of commands has been added to the PoS version, we could find some of those from the ATM attack still being used. Numerous available commands are for general use, allowing the criminals to collect information about the infected machine.

Command Description Download Download a file from the remote server Shell Execute a specified command via CMD GetConfig Get the configuration file KillProcess Terminate a process SetStartup Add the process to a startup registry key StartSendScreen Start screen capture StopSendScreen Stop screen capture Uploader Module

This module is responsible for checking the directory specified in the CABPATH parameter in the config file and sending all cab files generated from the stolen transactions to the server; the files are sent through an HTTP POST request. The endpoint used by the module is also mentioned in the uploader configuration file.

[SNDCAB] CABHOST=C2 CABPORT=80 CABPAGE=/upload.php CABPATH=c:\cab

The use of this module indicates a change in the group’s operation structure, since in the previous version, the collected information was sent to a server whose address was hardcoded into the stealer code, and the module used the same protocol as the backdoor. This uploader allows the operator to set the endpoint for the collected information as indicated in the configuration file; judging from the samples analyzed, it is possible to see a different infrastructure involved in the process.

Captured data stored in the uploader C2

Malware-as-a-service

In 2019, a website claiming to be affiliated with Prilex started offering what it said was a malware package created by the group. We have little confidence in these claims: the site could be operated by copycats trying to impersonate the group and catch some money using the reputation Prilex has earned over the years.

This website was still up and running at the time of writing this.

The asking price for what is supposedly a Prilex PoS kit is $3,500.

The website says its owners have worked with Russian cybercriminals in the past, another claim we cannot confirm. Worth mentioning, too, is that our Digital Footprint Intelligence service found citations of a Prilex malware package sold through Telegram chats, in an underground channel, priced between €10,000 and $13,000. We have no way of confirming that what is being offered is the real Prilex malware.

At the same time, Prilex now using Subversion is a clear sign they are working with more than one developer.

Conclusions

The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works. This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks.

Over years of activity, the group has changed its attack techniques a lot. However, it has always abused processes relating to PoS software to intercept and modify communications with the PIN pad. Considering that, we strongly suggest that PoS software developers implement self-protection techniques in their modules, such as the protection available through our Kaspersky SDK, aiming to prevent malicious code from tampering with the transactions managed by those modules. To credit card acquirers and issuers, we recommend avoiding “security by obscurity”: do not underestimate the fraudster. All EMV validations must be implemented!

Prilex’s success is the greatest motivator for new families to emerge as fast-evolving and more complex malware with a major impact on the payment chain.

To financial institutions who fell victims to this kind of fraud, we recommend our Kaspersky Threat Attribution Engine to help IR teams with finding and detecting Prilex files in attacked environments.

The Prilex family is detected by all Kaspersky products as HEUR:Trojan.Win32.Prilex and HEUR:Trojan.Win64.Prilex. More details about the threat and a full analysis is available to customers of our Threat Intelligence Reports. With any requests about our private reports, please contact crimewareintel@kaspersky.com.

Syndikovat obsah