The Mongolian Skimmer: different clothes, equally dangerous

Tags

External References

• https://jscrambler.com/
• https://otx.alienvault.com/

Description

This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScript capabilities. The skimmer follows typical patterns, including DOM monitoring, data exfiltration, anti-debugging measures, and cross-browser compatibility. An intriguing aspect is the discovery of a conversation between threat actors through code comments, where they agreed to split profits from the skimming operation.

Date