Blackmoon banking trojan returns with new framework

Michael Nadeau

Since last year, Fidelis Cybersecurity Threat Response observed two man-in-the-browser attacks on South Korean financial institutions that used the Blackmoon banking trojan. An earlier attack last July stole credentials of more than 150,000 Korean users.

The July and later attacks had the same goal: stealing login information from financial services website users. The attacks also targeted services from a range of websites where people can manage money including banks, wealth management firms and retirement investment services. Blackmoon, also known as KRBanker or Banbra, captures users’ account name and password when they type them in—the so-called man-in-the-browser attack.

What’s different about the latter attacks is the way in which Blackmoon was delivered. This version used what Fidelis has named the Blackmoon Downloader Framework. That framework uses three separate downloader pieces that seem to work together to deliver the Blackmoon payload to systems in targeted geographies—in this case, users’ devices and financial institutions in South Korea. Those institutions include Samsung Pay, Citibank Korea, Hana Financial Group and KB Financial Group. The Blackmoon Downloader Framework delivers malware in a variety of ways, including via adware campaigns and exploit kits.

(A full list of known targets and more technical details of the attack are available in Fidelis’s report.)

blackmoon sequence graphic
Blackmoon Downloader Framework sequence. Credit: Fidelis Cybersecurity

Although Blackmoon targets users, financial institutions will feel the effects. “Targeted services and their users should be on guard since successful theft through such malware could significantly impact the confidence users place in affected financial services companies,” says Hardik Modi, vice president, threat, at Fidelis.

South Korea being the target has led some to suggest that North Korea instigated the Blackmoon attack, but that may not be the case. “South Korea is a market with advanced internet usage, making it a natural target for a banking trojan,” says Modi. “In terms of the culprit, it’s not uncommon for multiple threat actors to be using a common framework that they have each acquired. While we cannot rule out North Korea for having involvement in this campaign, it is likely that the attacks involve common cybercrime actors.”

Modi adds that similar attacks have occurred in the U.S., Italy, Germany and New Zealand. “It would not surprise me if the targeting is changed and the trojan is used in other regions. We see it all the time,” he says. Modi adds that this latest Blackmoon delivery method and other similar tools may be available for purchase on the dark web.

Key findings from the Fidelis report include:

  • The “unique and involved” tri-stage Blackmoon Downloader Framework provides multiple capabilities to be deployed in separate, but closely related, components.
  • The framework is tightly coupled and designed to operate in sequence to facilitate multiple objectives, including evasion as well as geo-location targeting. The multistage downloader is another tactic used presumably to avoid detection, as functionality is distributed among the three separate but related components.
  • The framework itself is configured to deliver the malware only to systems where the default language is set to Korean. 

1  2  Next Page