Web-based credit card skimming remains a persistent and evolving threat, and FortiGuard Labs has recently uncovered a sophisticated campaign dubbed “RolandSkimmer” that highlights this danger. Named after the unique string “Rol@and4You” embedded in its payload, this campaign targets users in Bulgaria with a new wave of attacks leveraging malicious browser extensions across Chrome, Edge, and Firefox.
The attack begins with a malicious ZIP file, such as “faktura_3716804.zip.” Once extracted, this ZIP file presents users with a seemingly harmless shortcut file, typically named “faktura_1065170.Ink”. However, this shortcut hides a malicious command that covertly executes obfuscated scripts, establishing persistent and covert access to the user’s system.
The malicious LNK file initiates a chain of events, ultimately leading to the deployment of a malicious browser extension.
- Initial Execution: The LNK file executes a hidden command that uses MSHTA.exe to run a VBScript.
- Payload Delivery: This VBScript retrieves an obfuscated VBScript payload from a remote server.
- Command and Control: The retrieved script establishes a continuous connection loop, polling the attacker’s server for commands.
- Malicious Script Execution: Once commands are received, the script decodes hexadecimal data and executes the corresponding malicious actions.
A critical component of the RolandSkimmer campaign is the use of malicious browser extensions. These extensions are designed to harvest and exfiltrate sensitive financial data, often without the user’s knowledge.
- Deceptive Disguise: The Edge extension, for example, is disguised as “Disable Content Security Policy,” misleading users with a seemingly benign name.
- Extensive Permissions: These extensions request broad permissions, granting them significant control over the user’s browser activity and data.
The malicious extensions employed in the RolandSkimmer campaign possess a range of capabilities that enable them to effectively steal sensitive information:
- User Tracking: The extensions generate unique identifiers to track users across browsing sessions.
- Payload Retrieval: They retrieve encrypted payloads from local storage or remote servers.
- Code Injection: They inject malicious JavaScript code into web pages.
- Data Monitoring: They monitor user interactions, focusing on form submissions and credit card data.
- Data Exfiltration: They exfiltrate captured data to a command-and-control (C2) server.
To maintain a persistent presence on infected systems, the attackers employ sophisticated techniques, particularly with the Edge browser. This involves copying the legitimate Edge executable, loading the malicious extension, and replacing legitimate Edge shortcuts with malicious ones.
The RolandSkimmer campaign demonstrates the effectiveness of using malicious browser extensions for long-term access and data theft. As FortiGuard Labs emphasizes, “RolandSkimmer underscores the growing sophistication of LNK-based threats,” highlighting how attackers exploit legitimate system tools and scripting capabilities. To defend against such threats, users are advised to “avoid opening unknown LNK files” and organizations should “restrict or monitor the use of unverified browser extensions” and “implement security tools capable of detecting unusual script activity“.
