Prilex is a trojan written in Visual Basic 6.0 and used to steal information from ATMs. It was used in a highly targeted attack against a Brazilian bank to gather information on all the users of that ATM. It currently works on only one brand of ATM, indicating that the threat actors analyzed this branch and customized the trojan. It works by hooking certain dynamic link libraries (DLLs) and replacing the machine's screens with its own application screens on top. Once the machine is infected, the trojan operates with the banking application so that the legitimate account security code screen is replaced with the trojan's fraudulent screen. This code is used as a two-factor authentication (2FA) method to protect ATMs and online transactions. Once the code is entered, the trojan captures and stores it. The attackers exfiltrate the bank card numbers and security codes to a remote C2 server via the internet. The attackers likely sell the bank card numbers as opposed to stealing funds straight from the ATM.
Reporting and Technical Details:
- October 2017: Latin American ATM Thieves Turning to Hacking (Threatpost)
- December 2017: Dissecting PRILEX and CUTLET MAKER ATM Malware Families (Trend Micro)
Image Source: Trend Micro