KEY FINDINGS
- Chinese actors are behind the Silent Skimmer campaign, which targets online payment businesses in APAC and NALA regions.
- The campaign exploits known vulnerabilities and compromised web servers for initial access.
- The attacker deploys payment scraping tools on infected sites to retrieve sensitive financial data.
- The campaign targets companies from diverse industries and sectors, including e-commerce platforms and POS (point of sales) systems providers.
- The attacker is technically skilled and has readjusted its C2 infrastructure per the victims’ geolocation.
The Blackberry Research and Intelligence Team recently detected a new payment card skimming campaign targeting online payment businesses in the APAC (Asia-Pacific) and NALA (North America and Latin America) regions.
This campaign has been active for a year and is still ongoing. Researchers believe Chinese actors are behind it based on evidence that the attacker is from the APAC region and is proficient in the Chinese language.
Dubbed Silent Skimmer, the campaign seems financially motivated. The adversary exploits known vulnerabilities and compromised web servers for initial access, eventually deploying payment scraping tools as the final payload on infected sites to retrieve sensitive financial data.
Initially, the campaign’s scope was limited to companies in the APAC region, but from October 2022, the attacker expanded it to Canada and North America.
In their blog post, Blackberry researchers mentioned a sudden surge in attacks since May 2023. The attacker exploited a vulnerability that the Chinese cybercrime group Hafnium and Vietnamese XE Group earlier exploited in their cyber espionage campaigns.
Organizations from diverse industries and sectors are targeted in Silent Skimmer. The attacker accesses the payment pages of web apps and sites to deploy malware (web skimmer) and steal credit card numbers and billing data of online buyers. They then exfiltrate the data via Cloudflare.
Regarding the TTPs (tactics, techniques, and procedures) adopted by this actor, researchers noted that all the tools and payloads are hosted on an HTTP File Server controlled by the actor.
This server is deployed on a temporary VPS (virtual private server), the location of which aligns with the attacker’s suspected location. Moreover, this actor exploits a .NET deserialization flaw tracked as CVE-2019-18935 for remote execution of code on their targeted servers. It was detected in the Progress Telerik UI for ASP.NET AJAX.
The payload executes the code from a remote location to deploy a PowerShell script, which is a RAT (remote access tool), to perform numerous functions such as collecting system information, searching/downloading/uploading desired files, connecting to a database, etc. This RAT connects to a server that boasts a range of tools such as remote access scripts, downloader scripts, webshells, Cobalt Strike beacons, and exploits, along with a Fast Reverse Proxy tool that lets attackers expose local servers from behind a NAT.
The targets so far have been individual websites. This actor prefers using tools developed by GitHub user ihoney. Blackberry researchers dubbed the actor technically skilled, probably as skilled as Magecart hacking groups, because of several observations.
The actor readjusted its C2 infrastructure per the victims’ geolocation and used VPS as C2 servers for new targets. Each C2 server remains online for less than a week and is located in the victim’s country/region to evade detection as the traffic from compromised servers will blend in with local traffic.
The campaign is currently active.
RELATED ARTICLES
- Chinese Group Storm-0558 Hacked European Govt Emails
- Chinese APT Flax Typhoon uses legit tools for cyber espionage
- Chinese Hackers Stole Signing Key to Breach Outlook Accounts
- Chinese Hackers Using Stolen Ivacy VPN Certificate To Sign Malware
- Chinese APT Slid Fake Signal, Telegram Apps onto Official App Stores