The holiday season brings increased online shopping, but it also attracts threat actors seeking to take advantage of unsuspecting shoppers. This week, we'll explain "Silent Skimming" a financially motivated campaign that targets online payment businesses. This campaign primarily victimizes online businesses and point-of-sale service providers, as well as their consumers.
Given the increased online shopping during the holiday season, it's important to understand how threat actors exploit individuals who may be unaware of such activities. Let’s dive into Silent Skimming and help you stay informed and secure during this holiday season.
Silent Skimming or Silent Skimmer is an active campaign discovered by BlackBerry that has existed for over a year. The campaign is financially motivated and targets online payment businesses, specifically focusing on online businesses and point-of-sale (POS) service providers. As of now, targets include online payment businesses in the Asia-Pacific, North America, and Latin America regions.
BlackBerry is attributing the campaign to a threat actor who knows the Chinese language. The threat actor behind the campaign deploys payment scraping mechanisms to extract sensitive financial data from users. The targeted industries are diverse but are generally industries that host or create payment infrastructure.
The attack method involves exploiting internet-facing applications for initial access and deploying various tools to escalate privileges, execute code, and gain remote access. The threat actors behind the most recent Silent Skimming campaign have been exploiting a .NET deserialization vulnerability, tracked as CVE-2019-18935, in the Progress Telerik UI for ASAP.NET AJAX since May 2023. This vulnerability allows them to execute malicious DLL code remotely on targeted servers.
Once initial access is gained, the attackers deploy an array of tools hosted on an attacker-controlled HTTP File Server. These tools include downloader scripts, remote access scripts, webshells, exploits, and Cobalt Strike beacons. In the final stage, user information such as billing and credit card details is exfiltrated using Cloudflare.
Image 1: Tools
Tool: |
ITW Tool Name: |
Purpose: |
BadPotato |
bpo.exe |
Privilege Escalation |
Godzilla Webshell |
bypass.aspx |
Remote Code Execution |
PowerShell RAT |
client111.ps1 |
Remote Access |
SharpToken |
ConfusedToken.exe |
Privilege Escalation |
GodPotato |
GodPotato-NET4.exe |
Privilege Escalation |
Juicy Potato |
j.exe |
Privilege Escalation |
HTML Application |
MsMsp.hta |
Downloader/Stager |
scvhost.exe |
Post Exploitation |
|
SweetPotato |
SPO.exe |
Privilege Escalation |
Source: BlackBerry
Let’s break down the attack vector for the Silent Skimming campaign:
Target Selection:
Tools Used:
Exploiting Telerik UI Vulnerability (CVE-2019-18935):
Initial Payload:
Exploitation Process:
Insecure Deserialization:
Execution of Malicious DLL:
In simpler terms, the attackers target websites with known vulnerabilities, use tools to exploit these weaknesses, and specifically take advantage of a Telerik UI software flaw. They deploy a sneaky DLL through a tricky process, exploiting insecure deserialization, and ultimately execute a malicious HTML application to carry out their skimming activities.
The threat actors then use VBScript to transfer control to PowerShell, leveraging the server.ps1 RAT. This RAT establishes a connection to a hardcoded C2 server, providing the threat actor with control over the compromised system. The C2 server operates as an HTTP file server hosting a diverse set of tools for post-exploitation, allowing the attackers to perform various malicious actions on the compromised server.
There are a few reasons why the researchers at BlackBerry believe that Silent Skimmer campaign is the work of a threat actor based in Asia. Firstly, there is proof that the threat actor knows Chinese based on the language they use in their code. This is evident in the simplified Chinese used in the PowerShell RAT code and the association with a GitHub repository linked to Chinese-speaking developers.
Secondly, geographical cues play a role in attribution, as the attacker's C2 server is located in Asia, particularly Japan. Additionally, the strategic deployment of Virtual Private Servers (VPS) tailored to the target's location, such as using a Canadian-based VPS for attacks on Canadian businesses, hints at a sophisticated understanding of regional contexts. The dynamic adaptation of network infrastructure based on victim geolocation suggests a high level of technical expertise.
The campaign's expansion over a year, initially concentrating on the Asia-Pacific region and later including North America, implies a persistent and evolving threat. The targeting strategy, focusing on vulnerable web applications across diverse industries involved in payment infrastructure, highlights the threat actor's adaptability rather than a narrow industry-specific approach.
Although not directly related, Avertium's intelligence partner, RedSense, reports that two post-Conti groups closely align with the tactics and motives of the Silent Skimming campaigns in their attack strategies, BlackSuit and Zeon.
BlackSuit, a rebranding of the Royal ransomware group, focuses on institutions possessing valuable financial and informational assets. The group has used compromised software source codes in their targeting of the retail sector, mirroring the tactics observed in 2019 when Amiak took control of POS Merchant servers belonging to a Canadian POS merchant and software provider. Amiak achieved this through the exploitation of MSSQL and RDP access points.
The group also has former members of the Ryuk and REvil ransomware group within their current operation, as well as the threat actors responsible for the attack on Costa Rica, Dallas, and Southwest Airlines. Black Suit’s emphasis on data exfiltration and encryption suggests a likelihood of third-party attacks targeting retail entities.
Advanced Intelligence also stated that the threat actor Zeon has utilized a modified version of legitimate software to develop a new reverse proxy spam engine called ZProxy. ZProxy is a tool designed for generating phishing pages to gather user data, which the operator subsequently inputs into the authentic website. This method allows the operator to bypass 2FA protections, facilitating the collection and storage of user data.
The intended use of ZProxy involves employing it as a "man-in-the-middle" technique to initiate sessions and capture payment data. Information from RedSense's primary source intelligence indicates that the group aims to employ ZProxy for upcoming financial fraud activities, mirroring the Silent Skimming techniques outlined in this report.
The threat actor behind the Silent Skimming/Silent Skimmer campaign mainly targets local payment websites, exploiting common tech weaknesses to grab sensitive payment data without permission. This puts the average holiday online shopper at risk. Stay safe this season by adhering to these recommendations:
The Payment Card Industry Data Security Standard (PCI DSS) establishes security requirements for organizations handling payment card data. Compliance with PCI DSS Requirement 6.5 focuses on addressing vulnerabilities within third-party applications and component integrations.
One way organizations can help safeguard customers’ payment information is via Avertium’s Governance, Risk, and Compliance (GRC) service. GRC services help organizations identify, assess, and prioritize risks, including those posed by cyber threats like silent skimming. This proactive approach allows organizations to understand the potential impact of such threats on their operations and take preventive measures.
Also, GRC services assist organizations in staying compliant with relevant regulations and standards. In the case of silent skimming, adherence to data protection and payment card industry standards is important. GRC tools provide frameworks to ensure that organizations meet these compliance requirements, reducing the risk of legal and financial consequences.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from attack campaigns like Silent Skimming:
Resource Development
Initial Access
Execution
Discovery
Defense Evasion
Persistence
Privilege Escalation
Command-and-Control
Exfiltration
Hashes
Hostname
URLs
Silent Skimmer: Online Payment Scraping Campaign Shifts Targets From APAC to NALA (blackberry.com)
Understanding Skimming and How to Prevent It (flagright.com)
Silent Skimmer: The Rising Threat in Card-Skimming Attacks - Security Boulevard
What is PCI DSS? Requirements & How to Comply (itgovernance.co.uk)
Payment Card Industry Data Security Standard (pcisecuritystandards.org)
Chinese Hackers Target North American, APAC Firms in Web Skimmer Campaign - SecurityWeek
Online payment firms subjected to extended web skimming attack | SC Media (scmagazine.com)
Latest evolution of ‘pig butchering’ scam lures victim into fake mining scheme – Sophos News
Chinese Silent Skimmer Attack Hits APAC and NALA Online Payment Firms (hackread.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.