A financially motivated threat actor, known as Silent Skimmer, has been identified as the mastermind behind a sophisticated web-skimming campaign that has persisted for more than a year. This campaign primarily targets payment firms and users in the APAC (Asia-Pacific) and NALA (North America and Latin America) regions, with a focus on extracting sensitive financial data.
Silent Skimmer employs a range of tactics, including exploiting internet-facing applications, deploying various tools to gain access and execute code remotely, and exploiting a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik UI for ASAP.NET AJAX. This allows them to initiate a sequence of actions that deploy a suite of tools on compromised websites, ultimately culminating in the exfiltration of user information, including billing and credit card details, using Cloudflare.
The identity of the threat actor remains concealed, but researchers suspect a Chinese hacker group’s involvement based on evidence such as a GitHub repository used in the campaign and the presence of Chinese code in PowerShell RAT.
Furthermore, the attacker’s command-and-control (C2) server is located in Asia, indicating their geographic origin or operation base. Although initially targeting the APAC region, Silent Skimmer expanded its reach to include Canada and the U.S. in October 2022, suggesting an intention to broaden its attacks into North America. The primary targets are online businesses and point-of-sale (PoS) providers, particularly those utilizing web servers running ASP.NET and IIS.
The complexity of the operation suggests the involvement of an advanced or experienced threat actor. As this campaign continues to evolve and expand its geographical scope, organizations are advised to remain vigilant and stay informed about the infrastructure and exploitation tools employed by Silent Skimmer. Leveraging Indicators of Compromise (IOCs) provided by the BlackBerry Research & Intelligence Team can be instrumental in enhancing protection against this ongoing threat.