Silent Skimmer Gets Loud (Again)

    Friday, November 8, 2024 In: Threat Research Print

    Date: 11/08/2024

    Severity: Medium

    Summary

     "Silent Skimmer Gets Loud (Again)" discusses the resurgence of the Silent Skimmer threat actor, a financially motivated cybercriminal group. After a quiet period following their September 2023 online payment scraping campaign, the group re-emerged in late May 2024. Researchers from Unit 42 observed the adversary compromising multiple web servers to gain access to a multinational organization's environment. The group is targeting entities involved in payment infrastructure and gateways, using similar tactics, techniques, and procedures (TTPs) as in previous attacks. This renewed activity has reignited concern about the threat, and Unit 42 is tracking it under the identifier CL-CRI-0941.

    Indicators of Compromise (IOC) List

    URL/Domain

    f9e5e09788.ipv6.1433.eu.org

    nigntboxcdn.com

    http://20.222.194.41/SecurityHealthSystray.hta

    http://20.210.230.146/SecurityHealthSystray.hta

    http://13.78.113.103/One.ps1

    http://13.71.153.8/logtest.ps1

    IP Address

    20.222.138.18

    172.86.123.127

    60.204.201.75

    20.37.116.136

    167.88.168.11

    45.61.166.209

    48.218.138.60

    172.86.105.129

    172.86.96.245

    20.188.26.190

    13.78.113.103

    13.78.94.29

    52.253.107.167

    20.89.43.151

    20.222.194.41

    Hash

    0aa0ca465170315d2f02c471d5d96ce5fbd6076f59be83fa5398968e951a5f51

85d67f9f6f82de5a8f5f92fcf9a82bbed2ff6f6d91a06a058a40c5a64882149b

342daa41ba3989d5ecb95c7c19a55c1a00c12b6c2faa2cac052bc910a6edd56f

9b29964d0b3d026aa01713dbdf4361439788c05c8eb8723fc7cfb933245dec45

06710575d20cacd123f83eb82994879367e07f267e821873bf93f4db6312a97b

91a5f92908c561f1d1814d36da613c5b7411bb45554e1b2d19713f1f6d50a10c

1b325d32bc99db4b16e2cc4d4810c195f3643936d7ff5baee43ddd18cae9b2a6

55271d94eb3c95bb6a1965d44bade5ecef5ff610e87133f169e602eb94c39d6b

e3746de8993069f343a7334046a2361318e213e13883513a7c0713a847fd4dc9

b44e6fd83b87d50c8aa8cf62de2578a13c22292fcf298b7664ed828804280dbe

64ae2bf6920311be2521c47678c04299bd24c2caec2df5b340aa212a69760fda

12508b830149c2d84f2c80947e78218128d16a834c8d0695068f3e773ac62ef9

dc53581d4c9140b0f987eb6686d67db6d777f8c89114b062be35b8f2847aa66f

3579bae222eb8d7a7c3c16598cf9e81aecbbfc1a2ac2168430e48acfb02cfb24

5d82f31bc37aa18e5c5110968b1a85aa419c6e2840e17074d2519ed9ad5b914c

5ef5c841f74f9331efb5a43cd16d62fd27eb8293888e872a17c7a57795e37d75

7dadff4d883b32c01bbcb96baf081649dbfadd186b934a7fd3c9754e0ba87ab3

8ae2b420245ebbd983d42bb2d8ceb92f2e7ef40181d8f1cb347797ee7a61b2a1

c0244fafbd5231730fdd0bfef2a972dd074f52ca46dc377494424269add81d2b

c73e3b300ac9eb956a471cefb2282602834b5809c46b7807cfc06f671a5d9f8f

28f0f37fcdee2ac2c022bb454b30f05458075434fa57662af2de22ba5cfb45c1

29a81d3125ab1c886266a03902204253708f8d181c547a88ceb447ef59f99f60

311935e115d678adbe502c8cc4e5396323f3f015ee186df6dc9f67ae0248104b

5acac9846035863b178ff75fb2a8bdcd53e5d496007d032c3fb20e0dc8306fd9

b1d10328d0cbe3413d1ec15888e5772e323798072fda1285f17b61a96bf0e34e

8240d49629a558acc0426dff40c042fa989fb46159bb5971ee3c4211b68a59d0

a2a17e561d50f69e011598fd2e03b0376f6468609a1b2d6be9d458ee5c8b397d

b1da7982199597882a2da8c45114f4cf74fed64447fca8c5f58ced24d7085c77

1c9a9732d600d975b5b44ab326d5cc99123a84d5b400a189902ff6d249a24bda

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "f9e5e09788.ipv6.1433.eu.org" or url like "f9e5e09788.ipv6.1433.eu.org" or userdomainname like "nigntboxcdn.com" or url like "nigntboxcdn.com" or userdomainname like "http://20.222.194.41/SecurityHealthSystray.hta" or url like "http://20.222.194.41/SecurityHealthSystray.hta" or userdomainname like "http://20.210.230.146/SecurityHealthSystray.hta" or url like "http://20.210.230.146/SecurityHealthSystray.hta" or userdomainname like "http://13.78.113.103/One.ps1" or url like "http://13.78.113.103/One.ps1" or userdomainname like "http://13.71.153.8/logtest.ps1" or url like "http://13.71.153.8/logtest.ps1" 

    Detection Query 2

    dstipaddress IN ("20.37.116.136","167.88.168.11","45.61.166.209","48.218.138.60","172.86.105.129","172.86.96.245","20.188.26.190","13.78.113.103","13.78.94.29","52.253.107.167","20.89.43.151","20.222.194.41","20.222.138.18","172.86.123.127","60.204.201.75") or ipaddress IN ("20.37.116.136","167.88.168.11","45.61.166.209","48.218.138.60","172.86.105.129","172.86.96.245","20.188.26.190","13.78.113.103","13.78.94.29","52.253.107.167","20.89.43.151","20.222.194.41","20.222.138.18","172.86.123.127","60.204.201.75") or publicipaddress IN ("20.37.116.136","167.88.168.11","45.61.166.209","48.218.138.60","172.86.105.129","172.86.96.245","20.188.26.190","13.78.113.103","13.78.94.29","52.253.107.167","20.89.43.151","20.222.194.41","20.222.138.18","172.86.123.127","60.204.201.75") or srcipaddress IN ("20.37.116.136","167.88.168.11","45.61.166.209","48.218.138.60","172.86.105.129","172.86.96.245","20.188.26.190","13.78.113.103","13.78.94.29","52.253.107.167","20.89.43.151","20.222.194.41","20.222.138.18","172.86.123.127","60.204.201.75")

    Detection Query 3

    sha256hash IN ("0aa0ca465170315d2f02c471d5d96ce5fbd6076f59be83fa5398968e951a5f51","85d67f9f6f82de5a8f5f92fcf9a82bbed2ff6f6d91a06a058a40c5a64882149b","342daa41ba3989d5ecb95c7c19a55c1a00c12b6c2faa2cac052bc910a6edd56f","9b29964d0b3d026aa01713dbdf4361439788c05c8eb8723fc7cfb933245dec45","06710575d20cacd123f83eb82994879367e07f267e821873bf93f4db6312a97b","91a5f92908c561f1d1814d36da613c5b7411bb45554e1b2d19713f1f6d50a10c","1b325d32bc99db4b16e2cc4d4810c195f3643936d7ff5baee43ddd18cae9b2a6","55271d94eb3c95bb6a1965d44bade5ecef5ff610e87133f169e602eb94c39d6b","e3746de8993069f343a7334046a2361318e213e13883513a7c0713a847fd4dc9","b44e6fd83b87d50c8aa8cf62de2578a13c22292fcf298b7664ed828804280dbe","64ae2bf6920311be2521c47678c04299bd24c2caec2df5b340aa212a69760fda","12508b830149c2d84f2c80947e78218128d16a834c8d0695068f3e773ac62ef9","dc53581d4c9140b0f987eb6686d67db6d777f8c89114b062be35b8f2847aa66f","3579bae222eb8d7a7c3c16598cf9e81aecbbfc1a2ac2168430e48acfb02cfb24","5d82f31bc37aa18e5c5110968b1a85aa419c6e2840e17074d2519ed9ad5b914c","5ef5c841f74f9331efb5a43cd16d62fd27eb8293888e872a17c7a57795e37d75","7dadff4d883b32c01bbcb96baf081649dbfadd186b934a7fd3c9754e0ba87ab3","8ae2b420245ebbd983d42bb2d8ceb92f2e7ef40181d8f1cb347797ee7a61b2a1","c0244fafbd5231730fdd0bfef2a972dd074f52ca46dc377494424269add81d2b","c73e3b300ac9eb956a471cefb2282602834b5809c46b7807cfc06f671a5d9f8f","28f0f37fcdee2ac2c022bb454b30f05458075434fa57662af2de22ba5cfb45c1","29a81d3125ab1c886266a03902204253708f8d181c547a88ceb447ef59f99f60","311935e115d678adbe502c8cc4e5396323f3f015ee186df6dc9f67ae0248104b","5acac9846035863b178ff75fb2a8bdcd53e5d496007d032c3fb20e0dc8306fd9","b1d10328d0cbe3413d1ec15888e5772e323798072fda1285f17b61a96bf0e34e","8240d49629a558acc0426dff40c042fa989fb46159bb5971ee3c4211b68a59d0","a2a17e561d50f69e011598fd2e03b0376f6468609a1b2d6be9d458ee5c8b397d","b1da7982199597882a2da8c45114f4cf74fed64447fca8c5f58ced24d7085c77","1c9a9732d600d975b5b44ab326d5cc99123a84d5b400a189902ff6d249a24bda")

    Reference: 

    https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/  


    Tags

    MalwareSilent Skimmer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.