Cybersecurity researchers have shed light on a new digital skimmer campaign that leverages Unicode obfuscation techniques to conceal a skimmer dubbed Mongolian Skimmer.
“At first glance, the thing that stood out was the script’s obfuscation, which seemed a bit bizarre because of all the accented characters,” Jscrambler researchers said in an analysis. “The heavy use of Unicode characters, many of them invisible, does make the code very hard to read for humans.”
The script, at its core, has been found to leverage JavaScript’s capability to use any Unicode character in identifiers to hide the malicious functionality.
The end goal of the malware is to steal sensitive data entered on e-commerce checkout or admin pages, including financial information, which are then exfiltrated to an attacker-controlled server.
The skimmer, which typically manifests in the form of an inline script on compromised sites that fetches the actual payload from an external server, also attempts to evade analysis and debugging efforts by disabling certain functions when a web browser’s developer tools is opened.
“The skimmer uses well-known techniques to ensure compatibility across different browsers by employing both modern and legacy event-handling techniques,” Jscrambler’s Pedro Fortuna said. “This guarantees it can target a wide range of users, regardless of their browser version.”
The client-side protection and compliance company said it also observed what it described as an “unusual” loader variant that loads the skimmer script only in instances where user interaction events such as scrolling, mouse movements, and touchstart are detected.
This technique, it added, could serve both as an effective anti-bot measure and a way to ensure that the loading of the skimmer is not causing performance bottlenecks.
One of the Magento sites compromised to deliver the Mongolian skimmer is also said to have targeted by a separate skimmer actor, with the two activity clusters leveraging source code comments to interact with each other and divide the profits.
“50/50 maybe?,” remarked one of the threat actors on September 24, 2024. Three days later, the other group responded: “I agree 50/50, you can add your code :)”
Then on September 30, the first threat actor replied back, stating “Alright ) so how can I contact you though? U have acc on exploit? [sic],” likely referring to the Exploit cybercrime forum.
“The obfuscation techniques found on this skimmer may have looked to the untrained eye as a new obfuscation method, but that was not the case,” Fortuna noted. “It used old techniques to appear more obfuscated, but they are just as easy to reverse.”
