A Chinese-speaking threat actor that has been skimming credit card numbers off ecommerce sites and point-of-sale service providers in the Asia/Pacific region for more than a year has begun aiming at similar targets in North and Latin America as well.
In a series of attacks since at least May 2023, the adversary has exploited vulnerabilities in Web applications — including one vulnerability that China’s Hafnium group has used in cyber espionage campaigns — to gain access to sites belonging to organizations across multiple industry sectors. The primary goal in these attacks is to gain access to the payment pages on these sites and drop malware for stealing card numbers belonging to people making online purchases.
The Silent Skimmer Campaign
Researchers from BlackBerry discovered the campaign and are tracking it as “Silent Skimmer.” In a blog post this week, they described the campaign as technically complex and one that might well involve an advanced or experienced threat actor.
Card-skimming attacks are certainly not new. A loose collection of hacking groups that researchers have been tracking as Magecart have for years, in fact, been successfully stealing payment card data belonging to hundreds of millions of online shoppers around the world. In many of these attacks, the threat actors have targeted vulnerabilities in third-party software components and plug-ins — such as page view counters and visitor tracking widgets — and injected card skimming code into them.
Hundreds of thousands of e-commerce sites have been victim to Magecart attacks in recent years, including British Airways, Ticketmaster, Newegg, and numerous others.
The operator of the Silent Skimmer campaign has been opportunistically exploiting vulnerabilities in Web-facing applications to gain initial access to websites. Many of the sites the threat actor was attacking were hosted on Microsoft’s Internet Information Services (IIS) Web server software. One of the vulnerabilities the threat actor has exploited in its campaign is CVE-2019-18935, a critical remote code execution bug in Telerik UI, a suite of components and Web development tools from Progress Software. Among the groups that have used the bug in their campaigns is China’s Hafnium group and Vietnam’s XE Group.
If the target Web service has write permissions enabled, the exploit uploads a malicious dynamic link library (DLL) to a specific directory on it. The DLL then initiates a sequence of steps that results in malware for skimming credit and debit card data being installed on the website.
Technically Complex Campaign
BlackBerry researchers have observed the threat actor using multiple separate tools for privilege escalation, as well as a remote access tool, a remote code execution exploit, a malware stager/downloader, and a tool for post-exploit activities. As is often the case with malware campaigns these days, the operator of Silent Skimmer has relied on a slew of legitimate open source tools, binaries, and scripts in many of its attacks.
One indication that the threat actor behind Silent Skimmer is technically skilled is how it has readjusted its command-and-control (C2) infrastructure based on the geolocation of the victims. For the campaign, the threat actor has used virtual private servers (VPS) — often on Microsoft’s Azure platform — as C2 servers for newly acquitted targets. Each C2 server is typically online for less than a week and is often located in the same region or country as the victim. For Canadian victims, for example, BlackBerry found the threat actor set up a VPS in Canada, while for US victims, the VPS servers were usually within the same state as the victim.
The goal behind the tactic is to ensure that traffic to and from the compromised servers blends in with normal traffic, BlackBerry said.