The Brazilian threat actors behind an advanced and modular point-of-sale (PoS) malware known as Prilex have reared their head once again with new updates that allow it to block contactless payment transactions.

Russian cybersecurity firm Kaspersky said it detected three versions of Prilex (06.03.8080, 06.03.8072, and 06.03.8070) that are capable of targeting NFC-enabled credit cards, taking its criminal scheme a notch higher.

Having evolved out of ATM-focused malware into PoS malware over the years since going operational in 2014, the threat actor steadily incorporated new features that are designed to facilitate credit card fraud, including a technique called GHOST transactions.

While contactless payments have taken off in a big way, in part due to the COVID-19 pandemic, the underlying motive behind the new functionality is to disable the feature so as to force the user to insert the card into the PIN pad.

To that end, the latest version of Prilex, which Kaspersky discovered in November 2022, has been found to implement a rule-based logic to determine whether or not to capture credit card information alongside an option to block NFC-based transactions.

“This is due to the fact that NFC-based transactions often generate a unique ID or card number valid for only one transaction,” researchers said.

Should such an NFC-based transaction be detected and blocked by the malware installed on the infected PoS terminal, the PIN pad reader displays a fake error message: “Contactless error, insert your card.”

This leads the victim to use their physical card by inserting it into the PIN pad reader, effectively permitting the threat actors to commit fraud. Another new feature added to the artifacts is the ability to filter credit cards by segments and craft rules tailored to those tiers.

“These rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit,” the researchers noted.

“Since transaction data generated during a contactless payment are useless from a cybercriminal’s perspective, it is understandable that Prilex needs to force victims to insert the card into the infected PoS terminal.”