Dissecting PRILEX and CUTLET MAKER ATM Malware Families

by David Sancho and Fernando Merces

For a while now, Trend Micro has focused its efforts on covering ATM malware, especially new families that come up with features that stealthily target banking customers. In this blog post, we’re going to cover two that have recently come to our attention: Prilex and Cutlet Maker. Each of them is interesting in their own right, but for different reasons.

PRILEX – A highly targeted malware that hijacks a banking application

How would a targeted attack against an automated teller machine (ATM) go if the attackers knew everything about that machine?

Prilex malware steals the information of the infected ATM’s users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether you’re a customer or the bank.

The malware family called Prilex was first reported by Kaspersky in October 2017. We dissected this malware and found something very atypical: It works by hooking certain dynamic-link libraries (DLLs), replacing it with its own application screens on top of others. These are the external DLLs it affects:

P32disp0.dll
P32mmd.dll
P32afd.dll

During our thorough search of information about these DLLs on the internet, we couldn’t find anything. Given that the strings found in this malware were all in Portuguese (and since Kaspersky reported that it was found in Brazil), we asked our banking contacts in the region. We found that those DLLs belong to the ATM application of a bank there. This was shaping up to be a highly targeted attack. On top of this, the malware only affects a specific brand of ATM, which means the attackers had possibly analyzed one of them and created a customized attack.

The method of attack, otherwise, is straightforward. Once the machine has been infected, the malware operates jointly with the banking application so that when it displays the screen asking the user for their account security code, the screen is replaced by the malware. This code is a two-factor authentication method commonly used in Brazil to protect ATM and online transactions. Once the user enters this code, the malware captures it and stores it.

Figure 1. Display screen asking for account security code

In our analysis of the code, we noticed something interesting that happens at some point after it steals data: The malware tries to communicate with a remote command-and-control (C&C) server and upload both credit card data and the account security code. To our knowledge, this is the first ATM malware that assumes it is connected to the internet. It is likely that this bank’s ATMs are connected, since the attackers seem to be very familiar with this particular bank’s methods and processes.

This is one of the few ATM attacks that aim to steal user information as opposed to just jackpotting the machine. It’s likely that a criminal gang that deals with bulk credit card credentials and monetizes them some other way is behind the attack. Prilex is a hyper-targeted attack against a Brazilian bank. As such, we don’t expect it to be detected anywhere else in the world.

There is something more important to be learned from Prilex, though. Any bank is subject to have their methods and processes analyzed by criminals and then later abused with highly targeted attacks. It’s concerning, and something that is worth looking into if you’re trying to defend your ATM infrastructure. Jackpotting attacks are very notorious, but a silent attack like this can go unnoticed for months, if not years. These days, setting monitoring tools and protections in place should be, in our opinion, mandatory.

A targeted malware likely took significant time and resources to develop. This shows that in today’s world, criminals consider that a worthwhile investment. Gone are the days when banks were seen as unassailable—now they are simply the biggest fish in the sea. It is not easy to kill a whale, but it is possible—and doing so allows an attacker to eat for a long time.

Key Points On Prilex:

Prilex hijacks a banking application.
Prilex robs user input and card information and sends it to a C&C server.
Prilex targets a single Brazilian bank exclusively.
The criminals have dissected and analyzed the target ATM.
Prilex is written in Visual Basic 6.0 (VB6).

CUTLET MAKER – ATM malware offered in the underground

Cutlet Maker is an ATM malware designed to empty the machine of all its banknotes. Interestingly, while its authors have been advertising its sale, their competitors have already cracked the program, allowing anybody to use it for free.

We have seen this kind of ATM malware before, but what makes this one stand out? Technically, it’s a run-of-the-mill program with a mildly amusing user interface. In fact, Cutlet Maker was designed to run from a USB memory stick. The criminals responsible for it advertise this particular feature in a video, where they just open an ATM, uncover a USB port, and attach a memory stick and an external keyboard. From there, they run the program. But there’s more to it.

When this story first broke in the media, the price for this service was high. The key point for the criminals was to protect access to the jackpotting features, thereby keeping their business plan alive. After all, providing unrestricted access to the program’s jackpotting features would affect the criminals’ bottom line.

Every time the program runs, it creates and displays a code. The user then needs to contact the developers and provide this code. After receiving payment, the developers provide the license code that unlocks the program’s jackpotting feature. No payment, no jackpotting. This happens every time the criminals try to use Cutlet Maker against a different ATM.

Figure 2. Cutlet Maker being offered on the deep web

Careful examination reveals that the license code is not time-based, it’s just an algorithm. This is a fancy way of saying that the same input would yield the same output. Some other criminal realized this and, at some point, created a standalone program that’s similar to a classic key generator or ‘keygen’ that automatically calculates the return code. The code is available on the internet and relatively easy to find. This means that anybody can start victimizing ATMs without having to pay for the program—or at least ATMs with an accessible USB port.

Technically, the malware is not complex. It just relies on the Diebold Nixdorf DLL (CSCWCNG.dll) to send commands to send commands to the ATM’s dispensing unit.

Other criminals have started to sell this version of the tool, along with the keygen, for a much lower price compared to what the original developers’ price. It seems Honor among thieves is out the window.

So far, it seems the original developers do not have a response. Instead of creating a new ‘improved’ version of the tool that is licensed with a different algorithmic code, they just crossed their fingers hoping that nobody finds out about their competitors.

The bottom line of Cutlet Maker seems to be the following: “Robbing ATMs is profitable. Pirating software is profitable. Doing both things is doubly so.”

Key Points On Cutlet Maker:

Cutlet Maker is a flexible standalone application for emptying the ATM’s safe.
Cutlet Maker is designed to be run from a USB drive. It doesn’t technically infect the ATM.
Cutlet Maker is being sold on the Russian underground with a “per use” license.
The license code is algorithmic. Each time it runs, the system generates a number. The user then orders a license code on a website for that specific run.
Somebody reversed the algorithm and wrote a free license keygen.
Both versions are concurrently in the market. The “cracked” version is cheaper.
Target ATM is Wincor Nixdorf (now Diebold Nixdorf).
Cutlet Maker is highly obfuscated with VMProtect.

Hashes related to the malware (SHA256):

PRILEX (Detected as BKDR_PRILEX.A) :