Connect with us

Hi, what are you looking for?



Chinese Hackers Target North American, APAC Firms in Web Skimmer Campaign

A Chinese threat actor has been observed targeting organizations in multiple industries to deploy web skimmers on online payment pages.

BlackBerry is warning of a widespread campaign targeting online payment businesses with web skimmers for more than a year.

Dubbed Silent Skimmer, the campaign initially focused on organizations in the APAC region, but has been targeting businesses in Canada and the United States as well since October 2022, and appears to be expanding to new areas.

Likely of Chinese origin, the threat actor behind the campaign appears to be experienced and resourceful, adjusting its infrastructure as it expands to new territories, to avoid detection.

The attackers have been observed targeting multiple industries that host or create payment infrastructure, including online businesses and point-of-sales (PoS) providers, exploiting internet-facing applications for initial access, and deploying various tools to escalate privileges, execute code, and gain remote access.

All tools and post-exploitation payloads are hosted on an attacker-controlled HTTP File Server (HFS) deployed on a temporary virtual private server (VPS). The VPS location appears to be chosen based on the victim’s location, BlackBerry explains.

The threat actor exploits a .NET deserialization vulnerability (CVE-2019-18935) in the Progress Telerik UI for ASP.NET AJAX to execute code remotely on targeted servers. The payload attempts to execute code from a remote location, to deploy a remote access tool (RAT) in the form of a PowerShell script.

The RAT allows the attackers to gather system information, download or upload files, search for files, connect to a database, and more.

Advertisement. Scroll to continue reading.

Analysis of the server the RAT connects to revealed a broad range of tools, including downloader scripts, remote access scripts, webshells, exploits, and Cobalt Strike beacons. On the server, BlackBerry also discovered Fast Reverse Proxy (RFP), a tool that allows attackers to expose local servers located behind a NAT.

The purpose of the campaign, however, is to deploy a web skimmer on the payment checkout pages of the targeted victim organizations, to harvest user information such as billing information and credit card details. The data is exfiltrated using Cloudflare.

The threat actor, BlackBerry says, mainly targets regional websites that collect payment data, and the attacks appear opportunistic, rather than industry-specific.

“The threat actor or group behind this campaign remains unknown at the time of writing. However, given that the GitHub repository they used is associated with Chinese-speaking developers, the code In PowerShell RAT is in simplified Chinese language, and the attacker’s [command-and-control server] is located in Asia (specifically Japan), it’s likely the threat actor speaks the Chinese language and lives or operates in Asia,” BlackBerry says.

Related: See Tickets Alerts 300,000 Customers After Another Web Skimmer Attack

Related: Website of Canadian Liquor Distributor LCBO Infected With Web Skimmer

Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...