Analysis Summary

Researchers have revealed the existence of a new digital skimmer campaign called Mongolian Skimmer, which uses Unicode obfuscation techniques to hide its identity.

The obfuscation of the script caught the researchers’ attention right away because it felt a little strange with all the accented characters. The code is extremely difficult for humans to read due to the extensive usage of Unicode characters, many of which are invisible. Fundamentally, it has been discovered that the script hides the dangerous functionality by leveraging JavaScript's ability to utilize any Unicode character in identifiers.

The malware's ultimate objective is to obtain sensitive information entered on admin or checkout pages for e-commerce, including financial data, which is subsequently exfiltrated to a server under the control of the attacker. The skimmer also tries to elude analysis and debugging efforts by blocking specific functions when a web browser's developer tools are accessed. Typically, it appears as an inline script on compromised sites that gets the actual payload from an external server.

The skimmer makes use of both contemporary and historical event-handling approaches to guarantee cross-browser compatibility. This ensures that a broad spectrum of people, irrespective of their browser version, may be targeted. The client-side protection and compliance provider also reported seeing what it called an atypical loader variant that loads the skimmer script only when touchstart, mouse movement, and scrolling are identified as user input events.

It further said that this method might be used to make sure that the skimmer's loading isn't creating performance bottlenecks in addition to acting as an efficient anti-bot defense. A different skimmer actor is reported to have targeted one of the Magento sites that was hijacked to deploy the Mongolian skimmer, and the two activity clusters used source code comments to communicate and split the proceeds.

Although the exact method of delivering the skimmer malware to the target websites is unknown at this time, it is thought that the attackers are focusing on Magento or Opencart instances that are vulnerable or misconfigured. Several victim websites may have been compromised in various ways. Although the specific method of entry and how they managed to inject the web skimmer is unknown, all indications suggest that Magento or Opencart instances were compromised, either due to improper configuration or the presence of weak points that the attackers took advantage of to get access to.

To the uninformed eye, the obfuscation techniques on this skimmer would have appeared to be novel, but that was not the case. It made use of antiquated methods that are equally easily undone in order to appear more obscured.

Impact

• Sensitive Data Theft
• Financial Loss
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

Domain Name

• cache.cdn-core.com
• widget.statictool.com
• widget.useonline.org
• stat.mystatpal.com
• seomgr.com
• mdn.safecontentdelivery.com

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Check for any unauthorized transactions or activities on your financial accounts and report any suspicious activities to the respective authorities.
• Ensure that your operating system and all applications are up to date with the latest security patches and updates to prevent vulnerabilities that can be exploited by malware.
• Implement two-factor authentication for your online accounts to provide an additional layer of security.
• Avoid downloading and installing pirated software, as these sites are often a source of malware infections.
• Educate yourself and your employees on safe computing practices, such as being cautious when opening emails and downloading attachments, to prevent future infections.