By Caique Barqueta: Brazil is among the countries that suffer the most cyber attacks in the world, a scenario that has worsened after the pandemic and the global moment related to the armed conflict between Ukraine and Russia.
Being updated on the main threats in Brazil becomes increasingly important and can allow you to stay one step ahead of potential attacks, as well as to act more quickly and efficiently in order to detect such threats and avoid impacts and incidents that could result in damage and loss.
Below, we list the top recurring cyber threats identified by ISH's Heimdall Intelligence team.
Cobalt Strike
We have detected 1768 servers making malicious use of Cobalt Strike. They use toolkits that allow attackers to deploy "beacons" on compromised devices to perform remote network surveillance or execute commands.
Below you can see the distribution on the map:
SSH Brute Force
We detected, in the same period, 2180 threats of type SSH Brute Force. SSH is used for remote logins, command execution, file transfers, and more. The SSH brute force attack is performed by a threat actor that tries to log in with a common username and password on multiple servers until it has obtained a positive result.
Below you can see the distribution on the map:
IP Addresses
Another main trail that threat actors leave behind that helps identify is the IP address, which is considered very valuable information for tracking and studying threat actors in order to protect yourself from the domain and IP address that is considered malicious.
ISH collects and analyzes the malicious activity of these top offenders on a daily basis according to the printout below, where from 10/01 to 11/01 we collected and analyzed 52,667 malicious IP addresses that were readily shared with customers via MISP.
After presenting the main threats, vulnerabilities and malicious addresses, we at ISH are going to address one more threat that has returned, this time as post-payment type malware: Prilex.
Prilex Malware
Threat actors known as Prilex have been active since mid-2014, whose malicious samples and artifacts were aimed at performing credit card fraud. However, in 2016, the campaign targeting ATMs here in Brazil was identified and linked.
In the year 2017, this threat actor changed its ATM attacks to attacks on Point of Sale (PoS) devices, i.e., the machines used to perform payment receipt via credit and debit cards.
Top News
The agents' first identified campaign was in 2014, when they hit hundreds of ATMs across Brazil. The agents used a blackbox device configured with a 4G USB modem to remotely control the machine. This blackbox was physically attached to the ATM and its real purpose was to serve as a backdoor with an intent to hijack the machine's wireless connection and target the other ATMs that were on the same network segment.
In 2017, another campaign was identified, this time not on ATMs, but on point-of-sale systems. Agents intercepted transactions to capture the cryptogram used in the EMV transaction and perform a replay attack. The malware was able to capture Track 2 data and card details that were later forwarded to the group's C2 servers.
In mid-July 2020, another campaign by the group was located aimed at providing the malicious POS software to other malicious actors, who purchased the malware and used it as a kind of MaaS(Malware-as-a-Service).
How the group operates
Regarding Prilex's modus operandi for ATM-type devices, the use of a network-connected "blackbox" was identified that allowed the attacker to install the malware on computers remotely. In this type of attack, the agents knew the administrator login credentials, suggesting a possible "Insider" within the affected financial institutions.
With the new attack method, using malicious post-payment(PoS) software, malicious actors contact the companies that use a certain service claiming to be software support and ask the victims to install a critical update on the system.
The installed update is remote connection/administration software, such as Team Viewer or AnyDesk, assisting the malicious agent in the ability to remotely control the system.
After that, they use hooking functions used by software responsible for managing card transactions to capture and modify the data being transferred between the software and the pinpad. This type of attack has two versions with different fraud methods:
- Collect the transaction cryptogram to perform replay attacks.
- Generate new card cryptograms that will be used later by the attackers.
The affiliates of this threat actor, after collecting the information, receive the information through an application tool called "Daphne," used to clone cards, and are also given access to a database containing card numbers.
The threat actors have a site to sell the malware on the Deep Web, as shown in the image below of the site.
In the description of the malware offered by the group, they state that the one developed by the agents can perform card cloning, which can be used for cash withdrawals and various purchases.
Another type of threat spread by the group is the sale of compromised POS Machines, i.e. used to read credit and debit cards inserted through "shimmers", which are inserted into the machines. They have an embedded microchip that ends up stealing and storing credit and debit card data every time a person uses his or her card to make a payment or withdraw money.
The data from the card chip is stored in the device, and then the data is sent directly via SMS, so it can be controlled remotely.
DDoS attack service
The threat agent Prilex, also offers on its site the availability and sale of DDoS attack service, i.e., the user can buy the order of DDoS attacks (Distributed Denial of Service), where it is necessary to make contact with the agents to use the service.
How "POS" devices work
A POS device is connected to a computer - which can be an ordinary computer or one that has a POS-specific operating system, and has POS software installed on it, which may be from the vendor that created the device. The machine software can read the information from the payment card swiped at the POS device, being able to extract information such as card number, validity and so on, and can even validate the card by connecting to the payment processing server.
This means that information is stored on our payment cards in a specific way. The payment card has a magnetic strip divided into three: 1, 2, and 3. These strips contain various types of information such as the main account number, cardholder name, expiration date, and other data necessary to make the payment form.
For example, track 1 on the card has the format illustrated below:
For better understanding, we have created a table so that it is possible to identify the data passed on:
| % | Indicates the beginning of track 1. |
| B | Indicates credit or debit card |
| PN | Indicates the primary account number (PCN) and can contain up to 19 digits. |
| ^ | Separator |
| LN | Indicates the holder's last name |
| \ | Separator |
| FN | Indicates the name of the holder |
| ^ | Separator |
| YYMM | Indicates the expiration date of the card in year and date format |
| SC | Service Code |
| DD | Discretionary data |
| ? | Indicates end of track 1 |
The track data should appear as follows: %B12345678901234^ULTIMONOME/PRIMEIRONOME^2203111001000111000000789000000?
With this, the POS software can read this information from the card that is swiped in the device and store the information in its virtual memory. It then uses this information stored in memory to perform the payment process, which includes authentication followed by the transaction.
Commitment Indicators
| Md5 |
| 23b5740cc655de46d5f46ffdb78a9da0 |
| 7ab092ea240430f45264b5dcbd350156 |
| 64464d5e9049375a8417497f387b73d7 |
| 5aba9e5407ce6e84d17aaf922a70e747 |
| d130ef499a395a0cc53d750c2955a075 |
| 34fb450417471eba939057e903b25523 |
| 26dcd3aa4918d4b7438e8c0ebd9e1cfd |
| f5ff2992bdb1979642599ee54cfbc3d3 |
| af063af98b5332792d8e611b239533e1 |
| 7ae9043778fee965af4f8b66721bdfab |
| ba3554dcce534ce15f88543fb864b4c2 |
| 5387f11dbc06260049a1a92d1912a160 |
| 1432980adc8c6b268a3c50803dbe295a |
| 37894433ba79853954d3f5f1209dd1a |
| f9d5f011ac902d1eef129f3f6253147c |
| 22dc6744cf0f0a361e5ed81f2f9f4712 |
| 570a09a349345fd6f2e615b9f3294b1 |
| ac6d36647b90d7b4f9c3835620e1e0ae |
| 92ce37c9d99bca5e3882027757f75c22 |
| 17c010884dc1b2b16446a2ed42c89ed5 |
| SHA1 |
| ba8fefbe6963f108fd331f25a9ca98d9026412b9 |
| 7fb775e50b2b9e0b6de4cb490bdf03881abe9260 |
| 927225fec81ac77265945e612c19428ac49070e7 |
| f617627412d1225b62ceb0f0f518ce8bed0a96cc |
| 1bf7777bb8fe517cc438d30a3c9c86980ac09517 |
| 9902e8e7adae0a1100d24f7ed6e609fad3ad0dcf |
| 4493eb7428384c62611a7ca5cc5d5a378926c169 |
| 872397b3ac67821b1aa23cf6b4efaf9115b2d715 |
| 48cefb85cf40fbeb6ea11aeacd184bbeb23ee5f8 |
| 167375e0eb4ef26ca642ace014d2ad18c26eca1f |
| 0067866ecd10cec791fa4b1af52e84825e5456cb |
| e47c2748f1d5a5410d184d8588e1027613fb2e45 |
| SHA256 |
| 669bc5b9995b1cd76e5fb59925158c25c8da7ab9b6a5650088757ad5d730b223 |
| 0cf96b659642809cc968e491622becfa5e7e4f8f623b9bc27ad3f9241cb4ff35 |
| 90739b847406e362f73d49e48b8bf366276eea2ec750aa535b6ab6f3fadff294 |
| b3af54f8ea2e08f9ef4069fa4f87f22960cbb84519a1a86487acb82214f0995a |
| 605481bd2e37f0212637653273d866a3c47ee72cfde7207d915ffe6e5093b28e |
| 5cc18fa2204e0bee1f70b53af1fabe03ecce2b2b5e8baecb6fcfc76d2e8395c7 |
| a1ee1a386472493735f772e87e31c44bbacc058d37faade1a8ded4e2abb83939 |
| 36e1bde1c7e2acca43895799ec23e8a13cffa0dd52d0c72e888926971f2f2476 |
| 7e44f74993781edc47017a243be7bbe1ab3439f37760e50db29788f5646fcb57 |
| cb74e08d23c70dde7f6efebfee49563e569ccfff1541c9d5d96842fc8e8926b3 |
| 5eff328e4227ffdddf1f018b56fc3d8d8d65fbfcddb60fa52aa523f160b739dd |
| 92e9ee53617b649dc3d1f57183b727f0274607f17e372b4fe5d5880c587eaa66 |
| IP addresses and URLs |
| daphne.ddns.com.br |
| daphne1.ddns.com.br |
| daphne2.ddns.com.br |
| daphne1.sytes.net |
| daphne2.sytes.net |
| newbackup3.sytes.net |
| newtefssh.sytes.net |
| prdxtefwork.sytes.net |
| samsystem.ddnsking.com |
| prdxboss3.ddns.net |
| prdxboss2.ddns.net |
| prdxboss1.ddns.net |
| prdxboss1.chickenkiller.com |
| newtefssh.sytes.net |
| newbackup3.sytes.net |
| http://prdxboss1.chickenkiller.com:10003 |
| olddossys.mooo.com |
| prdxboss1.chickenkiller.com |
Identifying Attacks on POS
After we have described more about the Prilex threat agent, there are some measures that can be used and adopted in order to identify post-payment malware.
Malware can be identified by the set of APIs it uses, and this can be achieved through dynamic analysis of malicious artifacts. The malware at runtime performs memory scanning of the POS software process, for which it first needs to search the system.
The API functions used by most POS malware use the functions:
- CreateToolhelp32Snapshot
- Process32FirstW
- Process32NextW
- NtOpenProcess
- ReadProcessMemory
In your API logs, you can see continuous calls to ReadProcessMemory after the NTOpenProcess. This is because the memory blocks are read sequentially and then scanned for the credit and debit card number, as, for example, in the following calls:
ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00010000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00020000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x0012D000) ReadProcessMemory([process_handle]0x000001A4, [base_address]0x00140000)
Finally, we can see the importance of monitoring the environment, especially for the fact of identifying new threats, for this, ISH strives every day to monitor the threats and the main groups of threats and perform analysis of the malicious artifacts used.
POS attack threat agents
We list some of the main malware families that target POS attacks, i.e. in post-payments, including a summary of their activities and identification tips.
- Constantine: A backdoor used to manage infected machines and debug the malware in case of a problem. This backdoor has been in use since the first campaigns targeting ATMs.
- PrilexATM: The main module used to dispense money from infected ATMs. To do this it uses three specific libraries(P32disp0.dll, P32mmd.dll and P32afd.dl).
- Logus: A stealer-type malware designed to intercept and collect information between the payment device and the software to capture card information.
- Ghost: Variant of Stealer Logs, this version prompts the card for new valid encryptions instead of reusing the original as a replay attack.
- SendKernel/SendCab: An upload module used to upload the stolen information to the operator's server.
References:
- Heimdall by ISH Technology
- Material from the bulletin responsible, Caique Barqueta
- The return of Prilex - Point of Sale systems under attack - Kaspersky Lab
- https://securityaffairs.co/wordpress/137608/malware/pos-malware-stolen-card-data.html
- https://sensorstechforum.com/prilex-pos-malware-2022-attacks/