Ethical Hacking News
A new e-skimming malware dubbed "Mongolian Skimmer" has been uncovered in an analysis by Jscrambler researchers. Utilizing Unicode obfuscation techniques, this skimming malware evades detection from security software and is found in phishing attacks across multiple platforms.
The Mongolian Skimmer is a sophisticated skimming malware used in phishing attacks across multiple platforms. The malware uses advanced Unicode obfuscation techniques to evade detection and remain hidden from security software. The attackers employed unusual Unicode characters for variables and function names, making the code difficult for humans to read and analyze. The Mongolian Skimmer leverages common techniques used by other skimming malware, including DOM monitoring and data exfiltration via encoded tracking pixels. The malware activates only upon user interaction, aiming to evade bots and minimize performance impact. The campaign employed anti-debugging tactics, including monitoring formatting changes to detect and evade debugging attempts.
The cybersecurity landscape has witnessed another concerning development, this time centered around an e-skimming campaign known as the Mongolian Skimmer. A recent analysis by Jscrambler researchers revealed that a sophisticated skimming malware, dubbed "Mongolian Skimmer," has been employed in various phishing attacks across multiple platforms.
The Mongolian Skimmer uses advanced Unicode obfuscation techniques to evade detection and remain hidden from security software. According to the report published by Jscrambler, the attackers utilized unusual Unicode characters for variables and function names. This technique, although not new, is still effective in making the code difficult for humans to read and analyze.
The use of accented Unicode characters is a well-known JavaScript language capability – as stated by the ECMAScript Standard. It allows developers to employ any Unicode character in identifiers such as variable names. However, Jscrambler researchers argue that this added obfuscation does not provide significant resiliency, or resistance to reverse engineering using manual or automated methods.
The Mongolian Skimmer leverages common techniques used by other skimming malware. These include DOM monitoring for sensitive input changes, data exfiltration via encoded tracking pixels, DevTools detection to evade debugging, data collection on page unload, cross-browser compatibility, and anti-debugging measures to avoid code tampering.
One notable aspect of the Mongolian Skimmer is its ability to activate only upon user interaction. In one variant found in a Magento 2 Google Tag Manager plugin loader, this occurs when the user scrolls or moves their mouse cursor across the page. This trick aims to evade bots and minimize the impact on the webpage's performance.
Furthermore, the Mongolian Skimmer captures final data entries using the beforeunload event and ensures cross-browser compatibility with various event-handling techniques. It also employs anti-debugging tactics by monitoring formatting changes to detect and evade debugging attempts.
The obfuscation techniques employed in this campaign may appear as a new development at first glance but are, in reality, old techniques leveraged for enhanced obfuscation. As concluded by the Jscrambler report, "A simple code transformer can remove all the weird characters automatically for you. Underneath the skin, it was just a very common type of skimmer code, commonly found in misconfigured or vulnerable Magento installations in the wild."
In conclusion, this e-skimming campaign using Unicode obfuscation to hide the Mongolian Skimmer has once again highlighted the ongoing struggle between cybersecurity professionals and malicious actors who attempt to evade detection through advanced techniques.
Related Information:
https://securityaffairs.com/169632/malware/skimming-campaign-mongolian-skimmer.html
Published: Thu Oct 10 11:39:21 2024 by llama3.2 3B Q4_K_M
