RolandSkimmer: Silent Credit Card Thief Uncovered

    Thursday, April 3, 2025 In: Threat Research Print

    Date: 04/03/2025

    Severity: High 

    Summary

    Web-based credit card skimming remains a persistent and evolving threat. Labs uncovered a campaign called “RolandSkimmer,” targeting users in Bulgaria via malicious browser extensions on Chrome, Edge, and Firefox. The attack begins with a deceptive LNK file that executes obfuscated scripts for persistence. Once active, the malware silently harvests and exfiltrates sensitive financial data.

    Indicators of Compromise (IOC) List

    Domain\URL :

    invsetmx.com

    fzhivka-001-site1.btempurl.com

    exmkleo.com

    bg3dsec.com

    zzigi20-001-site1.atempurl.com

    topclima-001-site1.itempurl.com

    rinootracebg-001-site1.etempurl.com

    mgproperties-001-site1.itempurl.com

    kleoti-001-site1.htempurl.com

    Hash :

    80e0aa05ffd973decf9b7f435c5a44574e4c8314c152c7a09e00c821828fe515

    e30eecb53e4b03cfada8791877c3c67e009d25bb4d57f01f9eb7cd1121ac1908

    e0898e5d1f71bb0311ddfdef9697f684da6da701ad36ab8107dcb5d5e438838d

    86fedcd08d32eeff8a4caa9c2d4ae65b6cea89698570e8ce172a4e82c7f296f1

    7086f0ec83dab46aaaecbc459275d7df4e32f50d950047a9235dfccb3da9b9e0

    4a852420ca4a32d9ade0a50b8e24d6fc4886151c44477a62ee961ce880b1f8d2

    cd6180a612852167a2a1b6c456618a3716d040c163a63e50c17236660e4e7e53

    c02d73011204637141fdcc4240b65896b7624508eb116543acfbe3bf7fa29eb4

    5810cbdd316eb37ad49ab277604209deb73306c5254eac39164ae626e5aadf6c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domain\URL :

    domainname like "invsetmx.com" or url like "invsetmx.com" or siteurl like "invsetmx.com" or domainname like "exmkleo.com" or url like "exmkleo.com" or siteurl like "exmkleo.com" or domainname like "topclima-001-site1.itempurl.com" or url like "topclima-001-site1.itempurl.com" or siteurl like "topclima-001-site1.itempurl.com" or domainname like "zzigi20-001-site1.atempurl.com" or siteurl like "zzigi20-001-site1.atempurl.com" or url like "zzigi20-001-site1.atempurl.com" or domainname like "kleoti-001-site1.htempurl.com" or siteurl like "kleoti-001-site1.htempurl.com" or url like "kleoti-001-site1.htempurl.com" or domainname like "fzhivka-001-site1.btempurl.com" or url like "fzhivka-001-site1.btempurl.com" or siteurl like "fzhivka-001-site1.btempurl.com" or domainname like "bg3dsec.com" or url like "bg3dsec.com" or siteurl like "bg3dsec.com" or domainname like "rinootracebg-001-site1.etempurl.com" or url like "rinootracebg-001-site1.etempurl.com" or siteurl like "rinootracebg-001-site1.etempurl.com" or domainname like "mgproperties-001-site1.itempurl.com" or url like "mgproperties-001-site1.itempurl.com" or siteurl like "mgproperties-001-site1.itempurl.com"

    Hash :

    sha256hash IN ("cd6180a612852167a2a1b6c456618a3716d040c163a63e50c17236660e4e7e53","86fedcd08d32eeff8a4caa9c2d4ae65b6cea89698570e8ce172a4e82c7f296f1","e30eecb53e4b03cfada8791877c3c67e009d25bb4d57f01f9eb7cd1121ac1908","e0898e5d1f71bb0311ddfdef9697f684da6da701ad36ab8107dcb5d5e438838d","80e0aa05ffd973decf9b7f435c5a44574e4c8314c152c7a09e00c821828fe515","5810cbdd316eb37ad49ab277604209deb73306c5254eac39164ae626e5aadf6c","4a852420ca4a32d9ade0a50b8e24d6fc4886151c44477a62ee961ce880b1f8d2","7086f0ec83dab46aaaecbc459275d7df4e32f50d950047a9235dfccb3da9b9e0","c02d73011204637141fdcc4240b65896b7624508eb116543acfbe3bf7fa29eb4")

    Reference:    

    https://www.fortinet.com/blog/threat-research/rolandskimmer-silent-credit-card-thief-uncovered


    Tags

    MalwareRolandSkimmerBulgariaFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.