The Mongolian Skimmer: different clothes, equally dangerous

Oct. 14, 2024, 11:14 a.m.

Description

This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScript capabilities. The skimmer follows typical patterns, including DOM monitoring, data exfiltration, anti-debugging measures, and cross-browser compatibility. An intriguing aspect is the discovery of a conversation between threat actors through code comments, where they agreed to split profits from the skimming operation.

External References

https://jscrambler.com/blog/the-mongolian-skimmer
https://otx.alienvault.com/pulse/670cf86bb8e0916928b9f49d
Tags
obfuscation
cybercrime
malicious
skimming
underground
2024-10-14

Date

  • Created: Oct. 14, 2024, 10:54 a.m.
  • Published: Oct. 14, 2024, 10:54 a.m.
  • Modified: Oct. 14, 2024, 11:14 a.m.

Indicators

  • 82.197.83.29
  • 82.180.138.247
  • 198.187.29.127
  • 217.21.77.96
  • 191.96.56.171
  • widget.useonline.org
  • widget.statictool.com
  • process.services.bz
  • stat.mystatpal.com
  • mdn.safecontentdelivery.com
  • cache.cdn-core.com
  • common.gifcache.com
  • seomgr.com
Download all indicators here!

Attack Patterns

  • T1056.002
  • T1568
  • T1185
  • T1059.007
  • T1056.001
  • T1564
  • T1027
  • T1056
  • T1059