Baka Skimmer Description
The card giant Visa, and in particular its Payment Fraud Disruption (PFD) team, issued a security alert about a new strain of digital skimming malware they called 'Baka'. They detected the malware while investigating a Command-and-Control (C2) server in connection with a different malware – the ImageID skimmer variant. Visa's PFD discovered seven servers that were hosting the Baka Skimmer.
The Baka Skimmer possesses all the functions expected of an e-commerce skimming malware such as data exfiltration through image requests and configurable target form fields. What distinguishes the Baka Skimmer from the rest of similar malware threats is its anti-detection techniques. The skimmer is loaded dynamically to avoid static malware scanners while also setting unique encryption parameters for each infected victim. In fact, the actual skimming code is decrypted and executed in memory entirely without ever being present on either the customer's computer or the targeted merchant's server.
Once the Baka Skimmer is executed, it performs five different functions on the infected target. First, it must decrypt the list that tells the malware which fields to collect data from. The malware scans the selected fields every 100 milliseconds and checks if any data has been collected using the same interval of time. Every 3 seconds, Baka Skimmer performs a check to determine if it should exfiltrate the data to the exfiltration gateway by decrypting the URL using the merchant's domain's name as a key. Upon successful exfiltration of the collected information, the Baka Skimmer proceeds to the final step of its programming - to erase any traces it might have left by removing the entire skimming code from memory.