Researchers studying cybersecurity have revealed the existence of a new digital skimmer campaign called Mongolian Skimmer, which uses Unicode obfuscation techniques to hide its identity.
According to an investigation by Jscrambler researchers, “the script’s obfuscation initially stood out, which seemed a bit bizarre because of all the accented characters.” “The heavy use of Unicode characters, many of them invisible, does make the code very hard to read for humans.”
Fundamentally, it has been discovered that the script hides the dangerous functionality by taking use of JavaScript’s ability to utilize any Unicode character in identifiers.
The malware’s ultimate objective is to obtain sensitive information entered on admin or checkout pages for e-commerce, including financial data, which is subsequently exfiltrated to a server under the control of the attacker.
The skimmer also tries to elude analysis and debugging efforts by blocking specific functions when a web browser’s developer tools are accessed. Typically, it appears as an inline script on hacked sites that gets the actual payload from an external server.
“The skimmer uses well-known techniques to ensure compatibility across different browsers by employing both modern and legacy event-handling techniques,” Jscrambler’s Pedro Fortuna explained. “This guarantees it can target a wide range of users, regardless of their browser version.”
A “unusual” loader variant that loads the skimmer script only when user interaction events like scrolling, mouse movements, and touchstart are detected was also noticed by the client-side protection and compliance provider.
It further said that this method might be used to make sure that the skimmer’s loading isn’t creating performance bottlenecks in addition to acting as an efficient anti-bot defense.
A different skimmer actor is reported to have targeted one of the Magento sites that was hijacked to deploy the Mongolian skimmer, and the two activity clusters used source code comments to communicate and split the proceeds.
On September 24, 2024, one of the threat actors said, “50/50 maybe?” The other group replied three days later, saying, “I agree 50/50, you can add your code :)”
The first threat actor then responded on September 30 by saying, “Okay, so how can I reach you though? You own an exploit account? [sic],” most likely alluding to the forum about exploitative cybercrime.
“The obfuscation techniques found on this skimmer may have looked to the untrained eye as a new obfuscation method, but that was not the case,” Fortuna said. “It used old techniques to appear more obfuscated, but they are just as easy to reverse.”