The Mongolian Skimmer: different clothes, equally dangerous
Oct. 14, 2024, 11:14 a.m.
Tags
External References
Description
This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScript capabilities. The skimmer follows typical patterns, including DOM monitoring, data exfiltration, anti-debugging measures, and cross-browser compatibility. An intriguing aspect is the discovery of a conversation between threat actors through code comments, where they agreed to split profits from the skimming operation.
Date
Published: Oct. 14, 2024, 10:54 a.m.
Created: Oct. 14, 2024, 10:54 a.m.
Modified: Oct. 14, 2024, 11:14 a.m.
Indicators
82.197.83.29
82.180.138.247
198.187.29.127
217.21.77.96
191.96.56.171
widget.useonline.org
widget.statictool.com
process.services.bz
stat.mystatpal.com
mdn.safecontentdelivery.com
cache.cdn-core.com
common.gifcache.com
seomgr.com
Attack Patterns
T1056.002
T1568
T1185
T1059.007
T1056.001
T1564
T1027
T1056
T1059