RolandSkimmer: A Sophisticated Browser Extension Attack Targeting Financial Data

By /

Listen to this Post

In a world where online threats are constantly evolving, a new cyberattack campaign has emerged with an alarming level of stealth and sophistication. Dubbed RolandSkimmer, this campaign exploits browser extensions to steal sensitive financial data from unsuspecting users. Discovered by FortiGuard Labs, the attack is designed to operate under the radar, targeting popular browsers like Chrome, Edge, and Firefox on Microsoft Windows systems.

What makes RolandSkimmer particularly dangerous is its use of legitimate tools—like Windows shortcut files and browser configurations—combined with malicious scripting and extension hijacking to maintain persistence and avoid detection. This article breaks down how the attack unfolds, what indicators to look out for, and what steps users and organizations can take to protect themselves.

RolandSkimmer Attack Summary

  1. Initial Vector: The attack begins with a malicious ZIP file (faktura_3716804.zip), which contains a shortcut (faktura_1065170.lnk). This file quietly executes a VBScript using Windows’ mshta.exe process.

  2. Malware Deployment: Once executed, the script contacts a command-and-control (C2) server to download more malware, disguised as benign image files or documents.

  3. System Reconnaissance: The malware collects system information such as hardware specs, OS version, and browser configurations. This data helps tailor the infection strategy and evade sandboxed or virtual environments.

4. Browser Extension Exploits:

  • Edge: Deploys a fake extension called “Disable Content Security Policy”, which appears to override web security features but actually steals data.
  • Chrome/Firefox: Uses XOR-encoded files to mimic legitimate extensions like Tampermonkey. These extensions monitor activity, steal credit card data, and exfiltrate it to attacker-controlled domains.
  1. Extension Configuration: Extensions include files such as manifest.json, background.js, and background2.js, hidden in obscure directories. These grant extensive permissions, enabling the capture of user data across sessions.

6. Persistence Mechanism:

  • For Edge: The malware creates fake browser shortcuts with extension load arguments (--load-extension="%LOCALAPPDATA%\s2ch97"), removing legitimate ones from view.
  • For Firefox: It simulates a user profile using preconfigured RAR files (as1.rar to as6.rar) that auto-load malicious configurations.

7. Indicators of Compromise (IoCs):

– Malicious Files: `faktura_3716804.zip`, `faktura_1065170.lnk`

– VBScript Payload URL: `hxxp://invsetmx[.]com/n.jpg`

– XOR-encoded Extension URLs: `fzhivka-001-site1.btempurl.com`

– C2 Servers: `invsetmx[.]com`, `exmkleo[.]com`

– Data Exfiltration URL Format: `hxxps://bg3dsec[.]com/?S=-&D=&N=`

  1. Threat Implications: The malware’s stealth, use of trusted system tools, and ability to masquerade as legitimate browser components make it extremely hard to detect. It can persist for long periods, silently collecting and sending data.

9. Recommendations:

– Avoid downloading unknown ZIP files or shortcuts.

– Refrain from installing unverified browser extensions.

  • Use security software that monitors script execution and browser changes.
  • Organizations should enforce strict browser extension policies and system monitoring.

What Undercode Say: A Deeper Dive Into the RolandSkimmer Threat

RolandSkimmer isn’t just another malware strain—it marks a turning point in how attackers target users directly at the browser level, the very layer where financial transactions happen. Here’s our analysis on what makes this campaign technically and strategically notable:

  • Weaponization of Trust: By disguising itself within seemingly legitimate browser extensions (like Tampermonkey), RolandSkimmer manipulates user trust in widely-used tools. This psychological edge increases the infection rate dramatically.

  • Smart Evasion Tactics: The malware is smart enough to analyze its environment. If it detects it’s running in a sandbox or VM, it halts its activity to avoid detection. This is an advanced technique typically used by nation-state actors.

  • Deep Browser Integration: The use of manifest.json and background.js files isn’t new, but the level of integration and permission abuse in this campaign is deeper than most. These components let RolandSkimmer log form entries, reroute network requests, and steal data silently.

  • Adaptive Distribution: Instead of dropping a massive payload at once, RolandSkimmer downloads modules based on real-time C2 communication, letting it adjust tactics mid-operation. It also uses steganography by hiding scripts in what appear to be image files.

  • Silent Persistence: By hijacking browser shortcuts instead of binaries, the campaign avoids triggering antivirus heuristics that scan .exe or .dll files. It’s subtle, persistent, and effective.

  • Enterprise Risk: For businesses, the danger is even higher. If a single user installs a compromised extension, company credentials, client financials, and sensitive communication may be exposed.

  • Obfuscation and Encoding: XOR-encoding makes static analysis harder. This, combined with multi-stage scripts and remote payload loading, makes reverse engineering a nightmare.

  • Cross-Browser Compatibility: Unlike many malware strains that target only one browser, RolandSkimmer hits the three most popular browsers: Chrome, Edge, and Firefox. That increases its surface area exponentially.

  • Deceptive Names: Names like “Disable Content Security Policy” falsely promise enhanced security, tricking users who think they’re installing something helpful.

  • Infrastructure Flexibility: RolandSkimmer’s use of multiple C2 domains and update servers gives it a dynamic infrastructure that can survive takedowns.

  • User-Level Persistence: The malware doesn’t require admin rights to operate—this lowers the technical barrier for infection and makes it viable even in locked-down environments.

  • Automation-Driven Infection: By using .lnk files and the mshta.exe tool, the campaign automates the infection process with minimal user interaction. A single click is all it takes.

  • Behavioral Cloning: The fake extensions not only look like legitimate ones but behave similarly in initial phases, reducing suspicion.

  • Data Harvesting Scope: Beyond credit cards, it can also log keystrokes, monitor clipboard data, and potentially intercept password autofills.

  • Global Targeting Strategy: The campaign isn’t geo-locked. Evidence suggests a wide net is being cast, with indicators showing infrastructure hosted across regions.

  • Threat Longevity: The modular structure of RolandSkimmer suggests it could be reused or updated for future campaigns. It’s more than a one-off—it’s a framework for financial cybercrime.

Fact Checker Results

  1. FortiGuard Labs officially documented RolandSkimmer and provided IoCs.
  2. The use of browser extensions for malware injection is a growing, real-world threat.
  3. The campaign uses verified methods like mshta.exe, .lnk payloads, and malicious extensions that have been previously observed in high-profile attacks.

Stay alert, think before clicking, and scrutinize every extension. The new age of cyber threats is already here—and it’s living in your browser.

References:

Reported By: https://cyberpress.org/browser-extensions-abused-in-new-credit-card-skimming-attack/
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: