Prilex Brazilian Threat Group

Prilex Brazilian Threat Group

INTRODUCTION

This blog summarizes the findings of an investigation into the current status of the Brazilian threat group known as 'Prilex' who came to prominence in late 2017 and early 2018 for their ATM jackpotting and point-of-sale (POS) terminal attacks.

Whilst the group were believed to have been active since 2014, a distinct absence of 'chatter' and reporting of their activity since 2018 seemingly suggested that the group had ceased operations. That was until December 2019 when a domain was registered purportedly by Prilex, the 'Famous Brazil Hacking Team', and used to advertised the sale of nefarious software alongside a distributed denial of service (DDoS) offering.

Investigations into this domain identified two additional domains/websites, also related to payment card fraud, that include nefarious software that shares numerous similarities to that offered by Prilex. As such, the links between these three websites would suggest that they are operated by one-in-the-same threat actor or group.

Upon further analysis of the nefarious software offered, based on covert interactions with the threat actor via Telegram and reviewing 'customer' videos, the threat to the financial and retail industries does not appear credible, especially given that stolen payment card data visible within these testimonial videos was leaked some three months prior to filming.

As such, it is likely that the current operator of the Prilex domain/website, and associated assets, is attempting to defraud would-be threat actors through the sale of fake or malicious software.

This hypothesis is further supported by a number of Telegram groups featuring the Prilex name, including associated identities 'ClonedCards' and 'FraudMechanics', along with 'ripper' or 'scam' (Figure 1).

Prilex_0

Figure 1 - Telegram channels attempting to warn others of potential fraud

Whilst the 'original' Prilex ATM threat is thought have subsided, malicious samples detected as a variant of 'Trojan/Win32.Prilex' are still being observed, some with up-to-date compilation timestamps, albeit these appear to be structurally identical to the early threat developed in Microsoft Visual Basic 6. As such, and given both the high detection rate by antivirus solutions combined with the failure to update or protect the malicious binary through the use of either 'cryptors' or 'packers', it is hypothesized that these files do not pose a credible threat and may be as a result of old threats being traded on underground sites or security researcher activity.

Domain/Website

Somewhat out of character for the former Prilex threat group, the domain prilex[.]io was registered on 27 December 2019, albeit without any identifiable contact information (Figure 2), and followed by the creation of an easily accessible surface website.

Domain Name: PRILEX.IO
Registry Domain ID: D503300001182697383-LRMS
Registrar URL: http://www.netim.com
Updated Date: 2020-02-25T20:36:14Z
Creation Date: 2019-12-27T05:48:21Z
Registry Expiry Date: 2020-12-27T05:48:21Z
Registrar: NETIM SARL
Registrar IANA ID: 1519
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Country: AU
Name Server: NIA.NS.CLOUDFLARE.COM
Name Server: PATRICK.NS.CLOUDFLARE.COM
DNSSEC: unsigned

Figure 2 - Whois record for prilex[.]io

Note: Other than a change in name server configuration from the registrar's nsX[.]netim[.]net servers to CloudFlare three days after registration, there have been no notable changes in Whois records for this domain.

Visitors to this purported Prilex domain are presented with page that links to details of the group's offerings, two of which, 'EMV Software' and 'POS ATM Malware', could be considered consistent with their previous modus operandi, and a somewhat out-of-place 'DDOS Service' (Figure 3).

Prilex_1

Figure 3 - Prilex Website

Presumably to reassure any sceptical customers, the website has an 'inquiries' page that reiterates their claims of being the original creators of the Prilex POS Malware along with links to past press coverage as some form of reference. Furthermore, the website claims that the group are now offering their tools directly to the public rather than selling to 'Russian' resellers (Figure 4), a fact reiterated by the threat actor during a covert interaction via Telegram.

Prilex_2

Figure 4 - 'Prilex Hacking Team' explaining their return

Interestingly, a Google Analytics tracking identifier found on this Prilex website, UA-155795731-5, identifies two additional domains that can be linked to the same threat actor or group with high confidence:

  • clonedcards[.]com
  • fraudmechanics[.]com

Notably, both of these domains were registered in December 2019, albeit using different a registrar and a Whois privacy protection service, and, as can be inferred by the domain names, contain somewhat related content.

Purportedly offering cloned payment cards and stolen payment card data 'dumps' for sale, clonedcards[.]com uses design elements, terminology and language that are consistent with the Prilex website but contain no visible or mentioned link between their operations. This is also true for fraudmechanics[.]com, purportedly offering GSM skimmers and EMV software for sale, although the software screenshots closely resemble those used on the Prilex website and offer further evidence that all three domains and websites (Figure 5) are highly likely operated by the same threat actor or group.

Prilex_3

Figure 5 - Website similarities (Blue: Embedded Telegram preview; Red: 'Tawk.to' live chat)

EMV Software

Advertised as have the ability to duplicate, encode, erase, read and write EMV card data, the software reportedly functions with over twenty different hardware EMV writers and is updated frequently to "combat patches from banks" (Figure 6).

Prilex_4

Figure 6 - EMV Software (Left: 'Prilex Chip Software', Right: 'EMV IK Software' from FraudMechanics)

As can be observed from the screenshots, the EMV software offered on the two related websites share numerous similarities in their interface and claimed functionality, albeit would-be purchasers are charged more for the 'Prilex' name, USD 3,500 versus the USD 3,000 from 'FraudMechanics'.

In order to make a purchase, both websites instruct customers to contact them via Telegram and, only after discussing the purchase with the threat actor, a potentially unique bitcoin address is provided for payment.

Whilst the validity of this tool cannot be confirmed without gaining access to a sample, a recent report [1] identified a potential vulnerability in the implementation of EMV alongside traditional magnetic stripe technology that could provide an opportunity for 'EMV-bypass cloning'.

EMV-bypass attacks require a threat actor to obtain EMV card data, typically through the use of a 'shimmer' inserted into a point-of-sale (POS) terminal, and then translate the captured data for encoding onto the magnetic stripe of the clone card.

Subsequently, financial institutions failing to check for a valid card verification value (CVV) during a 'swipe' transaction could allow a threat actor to utilize a cloned card and effectively bypass the security that the EMV standard provides, especially given that the clone card would contain an iCVV as captured from the original EMV.

Notably, this software makes no reference to this attack method and therefore may not have this capability.

[1] https://geminiadvisory.io/cybercriminals-deploy-emv-bypass-cloning/

POS Malware Injector

Reportedly with the ability to scan point-of-sale (POS) networks for vulnerabilities, or more seeming just joining a wireless network and discovering POS devices, the 'Prilex POS Malware Injector' is supposedly able to capture payment card data by 'inject[ing] malware files' (Figure 7).

Prilex_5

Figure 7 - Prilex POS Malware Injector

Given there is no mention of what these 'malware files' might be, or if they exploit a specific POS system, attempts were made to gather additional intelligence through a covert interaction with the threat actor via Telegram. Other than confirming the features advertised on the website and explaining that 'payloads' were not required as the "software connects to wireless connection and detects payment terminals connected via G[PR]S or Wi[-]FI" (Figure 8), the only proof of the software's validity and capability is a 'customer' video (Figure 9).

Prilex_6

Figure 8 - Covert interaction with Prilex via Telegram

Prilex_7

Figure 9 - 'Customer' video showing 'Prilex POS Malware Injector' in use

Notably this video is shared by the Prilex channel administrator within their Telegram group, rather than an alternate verifiably identity, and appears to show the 'customer' connecting to, and locating POS devices on, a retailer's public wireless network.

Visually in many ways, this tool is similar to 'Freq GSM Scanner', an ATM skimmer offered for sale by FraudMechanics (Figure 10).

Prilex_8

Figure 10 - FraudMechanics 'Freq GSM Scanner'

As with Prilex, 'customer' videos are offered as proof of the tool's validity although given that it is supposedly a GSM scanner, it appears to connect to a named bank network before capturing customer payment card data (Figure 11).

Prilex_9

Figure 11 - 'Customer' video showing 'Freq GSM Scanner' in use

Furthermore, whilst the sale of equipment to intercept GSM signals used by POS terminals has been observed in the past, attacks against ATMs are typically conducted with skimmer hardware.

Casting further doubt on the legitimacy of these tools, payment card data observed in two of these 'customer' videos, demonstrating data acquisition in July 2020 and shared to the Telegram channel in August 2020, were shared within an unrelated 'carding' channel in April 2020.

Given the lack of any obvious connection between the original source of these payment cards and Prilex, or the associated websites, and the unlikely situation of the same card holder being compromised on multiple occasions, a likely hypothesis is that these tools are using fake data to appear legitimate and 'scam' would-be fraudsters.

This hypothesis is further supported by third-party posts, and Telegram channel names, in which it is claimed that Prilex and the associated identities are conducting a 'scam' or are, to use common underground terminology, a 'ripper' (Figure 12).

Prilex_10

Figure 12 - Claims of being scammed (Inset: Telegram channels)

Current Samples

Given that the nefarious software offerings provided by the domains associated with the 'new' Prilex threat actor or group appear to be fake, samples of these do not appear to be readily available.

Conversely, samples related to the 'original' Prilex ATM threat do appear throughout the year although these cannot be attributed to any specific campaign or malicious activity.

Basic analysis of these samples confirms that they remain structurally identical to early Prilex threats developed in Microsoft Visual Basic 6, as determined by comparing a sample with a recent compilation timestamp versus samples detected in 2017, and utilize the same Visual Basic classes, modules and form.

This analysis, combined with the high detection rate by antivirus solutions, as a variant of 'Trojan/Win32.Prilex', and the apparent lack of updates or failure to protect the malicious binary through the use of a 'cryptor' or 'packer' suggests that these samples, albeit with updated compilation timestamps, do not pose a credible threat and may be a result of old samples being traded on underground sites or security researcher activity.

Whilst recent 'chatter' on underground forums or sites related to Prilex is limited, a post to the Tor hidden service message board 'Dread' was detected on 23 July 2020 and seemingly offered Prilex amongst a list of other ATM threats (Figure 13).

Prilex_11

Figure 13 - Dread post (hxxp://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/6bd348caf476949713f2)

Given that this ATM malware is reportedly offered free-of-charge, it is unlikely that the samples would be current or credible threats, especially given that these would command a high-price in the appropriate circles. As such, posts of this nature may be used to solicit communications that entrap or scam respondents as well as leading to new samples of old threats appearing in malware repositories, such as VirusTotal.

Indicators Of Compromise

The following 'original' Prilex samples have been recently observed and confirmed as being similar to the original threats detected in 2017:

  • b3af54f8ea2e08f9ef4069fa4f87f22960cbb84519a1a86487acb82214f0995a
  • 420f7c58d4d59e35a44397522878a8d30ac36627c91528b123622950fb6a34ae
  • 605481bd2e37f0212637653273d866a3c47ee72cfde7207d915ffe6e5093b28e
  • 5cc18fa2204e0bee1f70b53af1fabe03ecce2b2b5e8baecb6fcfc76d2e8395c7
  • b6eb726c5418977e35fd7da96bc38da20cbc60111c88963ee7aec794d6bebb87
  • 7405d88639e4599a3796dc438f50c0390654216340d235edc76442e550a58700
  • 12fce28ba44652f4fbfe505b30e37c8383adbb9520a0134f09930370c16ea594
  • fa1b4c8fd2df1252da3eb7e1aa25c86830399962600566713047a9f70e043f5b
  • 669bc5b9995b1cd76e5fb59925158c25c8da7ab9b6a5650088757ad5d730b223

Original 2017 Samples:

  • 77f99b6e6aa603a4e416ce09864ff0b8815987e56f9c31c609586017e1260027
  • d10a0e0621a164fad0d7f3690b5d63ecb9561e5ad30a66f353a98395b774384e

Appendix A: Product Descriptions

For reference, the following text is used by the threat actors to describe each of their 'products' offered for sale.

Prilex EMV Software

Software Abilities:
Encode/Read/Write/Erase/Duplicate EMV
Acquire Accurate SDA and DDA Encryption

Development Notes:

Functioning with over 20 Different EMV Writers
Used with 1 Encryption code for functionality.
Updated frequently to combat Patches from Banks.

Price: 3500 USD

Recent Articles :
hxxps://www.zdnet.com/article/german-bank-loses-eur1-5-million-in-mysterious-cashout-of-emv-cards/

FraudMechanics EMV IK Software

Software Abilities:
Read Emv Details
Write Emv Details
Copy Emv Details
Erase Emv Details
Retrieve Accurate SDA and DDA Encryption Code for Success of Cash out

Software Writer Support:
ALL EMV Writers.
Tested with over 20 Different EMV Writers

Price: 3,000.00 USD
Created and Programmed by FraudMechanics[.]com Engineers.

PAYMENT METHOD:
To secure anonymous for both us and the customer. We only will accept BITCOIN as this time.

POLICY:
Once payment is confirmed we will provide a secret Link to customer and once we receive confirmation of download, we will provide Encryption Code to use EMV IK Chip Software.

NOTE:
This software can not be duplicated and made for resell. We have encrypted software to only be used with License key we provide.

If we detect any particular customer intent of Duplicating or using software on multiple devices we will suspend License key.

Prilex Malware Injector

This software is used to Scan Vulnerabilities and Connect directly with wireless connections and scan for POS Devices.
This software is wildly known for its ability to Hack successfully into POS Devices

Data will be presented in Format:
T1, T2, PIN,EMV , DATE

POS:
Software is able to inject malware files into Wireless POS Systems of any kind have a re-forward function to for new results.
This has consistently been our reason for being it our top seller.

Latest Version:
1.7
Computer Requirements:
Processor: 1 gigahertz (GHz) or faster processor or SoC.
RAM: 500 (MB) for 32-bit or 2 GB for 64-bit.
Hard disk space: 700 MB for both 64-bit and 32-bit OS.
Graphics card: DirectX 9 or later.
PRICE: $3500 USD
Payment Method: Bitcoin

Note: WE ARE THE ONLY SELLERS OF THIS SOFTWARE, DO NOT PURCHASE SOFTWARES OF OURS FROM OTHER VENDORS. WE ONLY SUPPLY LICENSE CODE TO LOGIN INTO SOFTWARE. THIS LICENSE CODE IS ONLY USED WITH CUSTOMERS WHO HAVE PURCHASED. THE ENCRYPTION KEY IS USED WITH A SYSTEM.

Prilex DDoS Service

DDOS Service:

We are able to DDOS any website even those with Layer 7 Protection. We use many created advance scripts and several other necessary tools to target websites you need taken down. If there is a message you would like to relay we can help you!

We however do not target the following:
-Police Websites
-Government Websites

Many of our customers use this service to stop Defamation when people continue to ignore you, we will make sure you are heard!

ClonedCards[.]com

Hello, We are now Offering Dumps and Pins and Cloned Cards to the Public.

Prices:

Dumps and Pins 101 $350
Dumps and Pins 201 $550

Cloned Cards 101 $600
Cloned Cards 201 $750

We Ship via DHL/Fedex/USPS and may take between 2-3 Business Days
We only Accept Bitcoins and we are no longer looking for partners.

For further Purchase Contact @ClonedCardsOFFICIAL

We will be regularly posting updates here including Customer Videos and Results!!!


Next article