Today > 1 Critical | 6 High | 24 Medium vulnerabilities   -   You can now download lists of IOCs here!

The Mongolian Skimmer: different clothes, equally dangerous

Oct. 14, 2024, 11:14 a.m.

Description

This report details the analysis of a skimming campaign, dubbed the 'Mongolian Skimmer,' which utilizes an obfuscation technique involving unusual Unicode characters for variable and function names. While initially appearing as a novel obfuscation approach, it ultimately employs well-known JavaScript capabilities. The skimmer follows typical patterns, including DOM monitoring, data exfiltration, anti-debugging measures, and cross-browser compatibility. An intriguing aspect is the discovery of a conversation between threat actors through code comments, where they agreed to split profits from the skimming operation.

Date

Published: Oct. 14, 2024, 10:54 a.m.

Created: Oct. 14, 2024, 10:54 a.m.

Modified: Oct. 14, 2024, 11:14 a.m.

Indicators

82.197.83.29

82.180.138.247

198.187.29.127

217.21.77.96

191.96.56.171

widget.useonline.org

widget.statictool.com

process.services.bz

stat.mystatpal.com

mdn.safecontentdelivery.com

cache.cdn-core.com

common.gifcache.com

seomgr.com

Attack Patterns

T1056.002

T1568

T1185

T1059.007

T1056.001

T1564

T1027

T1056

T1059