A financially motivated campaign has been targeting online payment businesses in the Asia Pacific, North America, and Latin America with web skimmers for more than a year.
The BlackBerry Research and Intelligence Team is tracking the activity under the name Silent Skimmer, attributing it to an actor who is knowledgeable in the Chinese language. Prominent victims include online businesses and point-of-sale (PoS) service providers.
“The campaign operators exploit vulnerabilities in web applications, particularly those hosted on Internet Information Services (IIS),” the Canadian cybersecurity firm said. “Their primary objective is to compromise the payment checkout page, and swipe visitors’ sensitive payment data.”
A successful initial foothold is followed by the threat actors leveraging multiple open-source tools and living-off-the-land (LotL) techniques for privilege escalation, post-exploitation, and code execution.
The attack chain leads to the deployment of a PowerShell-based remote access trojan (server.ps1) that allows for remotely controlling the host, which, in turn, connects to a remote server that hosts additional utilities, including downloading scripts, reverse proxies and Cobalt Strike beacons.
The end goal of the intrusion, per BlackBerry, is to infiltrate the web server and drop a scraper in the payment checkout service by means of a web shell and stealthily capture the financial information entered by victims on the page.
An examination of the adversary’s infrastructure reveals that the virtual private servers (VPS) used for command-and-control (C2) are chosen based on the geolocation of the victims in an effort to evade detection.
The diversity of industries and regions targeted, coupled with the kind of servers breached, points to an opportunistic campaign rather than a deliberate approach.
“The attacker focuses predominantly on regional websites that collect payment data, taking advantage of vulnerabilities in commonly used technologies to gain unauthorized access and retrieve sensitive payment information entered into or stored on the site,” BlackBerry said.
The disclosure comes as Sophos disclosed details of a pig butchering scam in which potential targets are lured into investing in bogus cryptocurrency investment schemes after being approached on dating apps like MeetMe, netting the actors millions in illicit profits.
What sets the latest operation apart is the use of liquidity mining lures, promising users regular income at high rates of return for investment in a liquidity pool, where the virtual assets are parked to facilitate trades on decentralized exchanges.
“These scams require no malware on the target’s device, and no ‘hacking’ of any sort other than fraudulent websites and social engineering — convincing targets to connect their wallet to an Ethereum smart contract that gives the scammers permission to empty the wallet,” security researcher Sean Gallagher said.