Silent Skimmer: A Shift in Targets from APAC to NALA

By The BlackBerry Research & Intelligence Team

Summary: BlackBerry’s research team has identified a new malicious campaign named “Silent Skimmer.” This campaign is orchestrated by a financially driven threat actor who has shifted their focus from targeting online payment businesses in the Asia-Pacific (APAC) region to the North America and Latin America (NALA) regions. The attacker exploits vulnerabilities in web servers to gain initial access and then deploys mechanisms to scrape payment information from compromised websites.

Key Insights:

1. Duration and Targets: The campaign has been active for over a year, targeting various industries, especially those with payment infrastructure like online businesses and Point of Sales (POS) providers. The threat actor seems proficient in the Chinese language and has primarily operated in the APAC region.
2. Tactics and Techniques: The attacker uses a range of tactics, including privilege escalations, remote code execution, and post-exploitation tools. They exploit public-facing applications and rely on various network infrastructures like Virtual Private Servers (VPS) and Content Delivery Networks (CDN).
3. Technical Analysis: The attacker exploits vulnerabilities in web applications, especially those on Internet Information Services (IIS). Their main goal is to compromise the payment checkout page and extract sensitive payment data from visitors. They use a variety of tools and techniques, including open-source tools and Living Off the Land Binaries and Scripts (LOLBAS).
4. Weaponization: The attacker uses a range of tools, including Godzilla Webshells, PowerShell RATs, and Cobalt Strike Beacons, to compromise web servers and elevate their privileges. They then deploy a scraper on the payment checkout service of the victim web server.
5. Silent Skimmer’s Methodology: Once the attacker gains sufficient privileges, they check for specific files in the victim’s “inetpub\wwwroot” directory. They use obfuscated JavaScript files to scrape payment details and exfiltrate the financial data.
6. Network Infrastructure: The threat actor uses an HTTP file server on a temporary VPS, mainly hosted on Microsoft Azure. They adjust their network infrastructure based on the victim’s location, making their internet traffic appear natural.
7. Targets: Historically, this threat actor targeted the APAC region. However, since October 2022, they have expanded to Canada and the US, indicating a possible increase in their confidence and ambition.
8. Attribution: While the exact identity of the threat actor remains unknown, evidence suggests they might be Chinese-speaking and operate predominantly in Asia.

Bolstering Defenses: Businesses face an ever-evolving landscape of cyber threats, making it imperative to stay ahead of potential vulnerabilities. To fortify their defenses against sophisticated attacks, businesses can:

• Regular Software Updates and Patching: Cyber attackers often exploit outdated software with known vulnerabilities. Regularly updating and patching software ensures that these vulnerabilities are addressed, reducing the risk of breaches.
• Conducting Security Audits: Routine security audits can help businesses identify potential weak points in their systems. These audits, conducted by cybersecurity professionals, provide insights into areas that need improvement and recommend strategies to strengthen security measures.
• Investing in Advanced Threat Detection: Modern threat detection tools use artificial intelligence and machine learning to identify unusual patterns and potential threats in real-time. These tools can quickly detect and neutralize threats before they can cause significant damage.
• Response Solutions: Having a robust response strategy is as crucial as prevention. Businesses should invest in solutions that not only detect threats but also provide actionable steps to contain and mitigate them.

Implications of Geographical Shift: The shift in cyberattack targets from Asia to North America is not just a change in geography; it signifies a broader evolution in the cyber threat landscape. This transition suggests:

• Increased Ambition of Threat Actors: The move to target North American entities might indicate that these cybercriminals are becoming bolder, possibly aiming for bigger payouts or more significant disruptions.
• Resource Allocation: The geographical shift could be a result of threat actors acquiring more resources, allowing them to target more secure and potentially more lucrative entities in North America.
• Perceived Vulnerabilities: Cybercriminals might perceive businesses or infrastructures in North America as more vulnerable or less prepared to fend off sophisticated attacks, making them attractive targets.

Securing Payment Information: In an era where online transactions are commonplace, individuals must prioritize the security of their payment information. Here’s how they can ensure their financial data remains uncompromised:

• Trusted Payment Gateways: Opt for well-known and trusted payment gateways when making online purchases. These platforms have stringent security measures in place to protect user data.
• Two-Factor Authentication (2FA): 2FA provides an additional layer of security by requiring a second form of identification beyond just a password. This could be a text message, a biometric scan, or a security token.
• Regular Financial Monitoring: Regularly review bank and credit card statements to spot any unauthorized transactions. Early detection can prevent further unauthorized activities and facilitate quicker resolution with financial institutions.
• Educate and Stay Informed: Cyber threats are continually evolving. Staying informed about the latest scams, phishing techniques, and best practices for online security can provide individuals with the knowledge they need to avoid potential threats.

Conclusions: The “Silent Skimmer” campaign showcases the evolving tactics of threat actors and the vulnerabilities present in online payment systems. The campaign’s shift from Asia to North America indicates a potential increase in the scale and scope of future attacks. It’s crucial for businesses to be aware of such threats and take appropriate measures to safeguard their online payment systems.