Cybersecurity researchers have discovered a new digital skimmer campaign named Mongolian Skimmer, which uses Unicode obfuscation techniques to hide its malicious code.
Analysis by Jscrambler researchers revealed that the script employs Unicode characters to obfuscate the code, making it difficult to read for humans.
The skimmer utilizes JavaScript’s ability to use Unicode characters in identifiers to mask its harmful activities.
This malware aims to steal sensitive data entered on e-commerce sites and admin pages, including financial information, and send it to a server controlled by the attacker.
The skimmer appears as an inline script on compromised websites and fetches the payload from an external server, while also attempting to evade analysis by disabling certain functions when a web browser’s developer tools are opened.
Jscrambler’s Pedro Fortuna explained that the skimmer uses various event-handling techniques to ensure it works across different browsers, targeting a wide range of users.
The researchers observed a unique loader variant that loads the skimmer script only when user interaction events like scrolling, mouse movements, and touchstart are detected, serving as an anti-bot measure and optimizing performance.
One of the compromised Magento sites was also targeted by another skimmer group, with both groups collaborating through source code comments to divide their profits.
The threat actors communicated through coded messages, indicating a profit-sharing agreement and discussing their activities on a cybercrime forum.
Fortuna emphasized that despite the complex obfuscation techniques used, the skimmer’s code is reversible and not as sophisticated as it may appear.
