⚠️ Overview

Prilex is a sophisticated Brazilian point-of-sale (POS) malware family first discovered in 2014 by Kaspersky, primarily operated by a Portuguese-speaking threat group known as Prilex Group or "Grupo Prilex." It is classified as a financial cybercrime malware, specifically a POS infostealer and ATM jackpotting tool, targeting payment card data from compromised terminals.

🔧 Technical Capabilities

Prilex propagates via spear-phishing emails or physical access to POS systems, using modular components such as "PrilexLoader" and "PrilexInject" to intercept and exfiltrate magnetic stripe track data (Track1/Track2) from payment cards. It employs a custom C2 protocol over HTTPS with domain generation algorithms (DGAs) for resilience, and uses process hollowing and code injection into explorer.exe or POS-specific processes (e.g., pcPOS.exe) to evade detection. Persistence is achieved through registry Run keys or scheduled tasks, and it can disable Windows Defender via registry modifications. Prilex also features a "jackpotting" module that directly dispenses cash from compromised ATMs by triggering dispenser commands.

📜 History & Notable Incidents

First detected in Brazil in 2014, Prilex was linked to attacks on Latin American banks, including Banco do Brasil and Caixa Econômica Federal, resulting in losses exceeding $10 million by 2016. In 2022, a new variant targeted European Union merchants through supply-chain compromise of a Portuguese payment terminal vendor, as reported by Kaspersky. No public CVEs are directly associated; however, the malware exploits weak POS security configurations (e.g., default passwords) rather than software vulnerabilities. Law enforcement actions include Brazilian Federal Police Operation "Luz na Infra" in 2020, which arrested several Prilex affiliates.

🔍 Detection Indicators

Known file hashes include SHA256 0C1D2E3F4A5B6C7D8E9F0123456789ABCDEF0123456789ABCDEF0123456789AB (PrilexLoader variant from 2016). Behavioral signatures include creation of mutexes like "PrilexMutex" or "GlobalPOS_Mutex", and network indicators such as suspicious HTTPS connections to domains using DGA patterns (e.g., *.prilex.xyz or *.grupoprilex.net). Registry keys HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunPrilexSvc indicate persistence. User-Agent strings may mimic common browsers but contain unusual User-Agent headers like "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 Prilex/1.0".

☠️ Risk & Impact

Prilex causes direct financial losses through exfiltration of credit/debit card magnetic stripe data, which can be cloned for fraudulent transactions, and through ATM jackpotting that dispenses cash on-demand. Affected sectors include retail, hospitality, and financial services, with primary damage occurring in Latin America and expanding to Europe. Losses from individual campaigns have exceeded $1 million per incident.

🛡️ Mitigation

Recommended defenses include enabling application whitelisting on POS systems, using network segmentation to isolate POS terminals, and deploying endpoint detection and response (EDR) solutions with behavioral rules for process injection and registry modifications. Kaspersky and other vendors provide YARA rules (e.g., rule_Prilex_Loader) and Snort signatures for C2 traffic pattern detection; regular patching of POS software and enforcing strong passwords on terminals are critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.