In May 2024, researchers observed an attack by the Silent Skimmer threat actor, targeting a multinational organization’s payment infrastructure. This attack exploited known vulnerabilities in Telerik UI to gain unauthorized access and deploy various malicious tools, including web shells, reverse proxies, and reverse shells. Silent Skimmer primarily targeted payment gateways and databases to extract sensitive financial data.
Silent Skimmer gained initial access by exploiting two older, known Telerik UI vulnerabilities (CVE-2017-11317 and CVE-2019-18935), enabling remote code execution and file upload on targeted servers. Upon gaining access, the attacker executed several reconnaissance commands (e.g., whoami, ipconfig, netstat), allowing them to map the system environment and escalate privileges. They installed web shells and reverse shells in strategic directories to maintain persistence and used tools like Fuso and FRP to expose servers behind firewalls to the internet.
To avoid detection, the attackers leveraged a mix of PowerShell commands, Base64-encoded payloads, and .NET binaries with embedded native C++ code. This method bypassed standard analysis tools and embedded malicious code within legitimate binaries, requiring advanced reverse engineering efforts to detect. Additionally, the attacker used the RingQ loader to download and load encrypted payloads from remote servers. The final stage involved a compiled Python script with hard-coded credentials that connected to a database, extracting payment information and saving it to a CSV file for exfiltration.