Fidelis Cybersecurity describes the new way Blackmoon was delivered to South Korean financial institutions and offers advice for preventing future attacks. Credit: Thinkstock Since last year, Fidelis Cybersecurity Threat Response observed two man-in-the-browser attacks on South Korean financial institutions that used the Blackmoon banking trojan. An earlier attack last July stole credentials of more than 150,000 Korean users.The July and later attacks had the same goal: stealing login information from financial services website users. The attacks also targeted services from a range of websites where people can manage money including banks, wealth management firms and retirement investment services. Blackmoon, also known as KRBanker or Banbra, captures users’ account name and password when they type them in—the so-called man-in-the-browser attack.What’s different about the latter attacks is the way in which Blackmoon was delivered. This version used what Fidelis has named the Blackmoon Downloader Framework. That framework uses three separate downloader pieces that seem to work together to deliver the Blackmoon payload to systems in targeted geographies—in this case, users’ devices and financial institutions in South Korea. Those institutions include Samsung Pay, Citibank Korea, Hana Financial Group and KB Financial Group. The Blackmoon Downloader Framework delivers malware in a variety of ways, including via adware campaigns and exploit kits.(A full list of known targets and more technical details of the attack are available in Fidelis’s report.) Fidelis Cybersecurity Blackmoon Downloader Framework sequenceAlthough Blackmoon targets users, financial institutions will feel the effects. “Targeted services and their users should be on guard since successful theft through such malware could significantly impact the confidence users place in affected financial services companies,” says Hardik Modi, vice president, threat, at Fidelis.[Related: –>Windows Trojan hacks into embedded devices to install Mirai] South Korea being the target has led some to suggest that North Korea instigated the Blackmoon attack, but that may not be the case. “South Korea is a market with advanced internet usage, making it a natural target for a banking trojan,” says Modi. “In terms of the culprit, it’s not uncommon for multiple threat actors to be using a common framework that they have each acquired. While we cannot rule out North Korea for having involvement in this campaign, it is likely that the attacks involve common cybercrime actors.”Modi adds that similar attacks have occurred in the U.S., Italy, Germany and New Zealand. “It would not surprise me if the targeting is changed and the trojan is used in other regions. We see it all the time,” he says. Modi adds that this latest Blackmoon delivery method and other similar tools may be available for purchase on the dark web.Key findings from the Fidelis report include:The “unique and involved” tri-stage Blackmoon Downloader Framework provides multiple capabilities to be deployed in separate, but closely related, components.The framework is tightly coupled and designed to operate in sequence to facilitate multiple objectives, including evasion as well as geo-location targeting. The multistage downloader is another tactic used presumably to avoid detection, as functionality is distributed among the three separate but related components.The framework itself is configured to deliver the malware only to systems where the default language is set to Korean. Blackmoon prevention Blackmoon has two sets of victims, says Modi: the financial institutions and the users of their services. The financial institutions are in the best position to prevent damage to themselves and their customers from a targeted attack like Blackmoon.“The best protection for themselves and their users is for financial institutions to use multi-factor authentication,” says Modi. Attackers count on websites requiring only a username and password, he adds. Making multi-factor authentication the primary line of defense adds layers to crack and will encourage most attackers to move on to easier targets.[Related: –>Open-source developers targeted in sophisticated malware attack] Modi advises consumers of financial services, who might be individuals or businesses, to use providers that have multi-factor authentication in place. He also says that organizations should secure all devices that employees use to access services. “There is more opportunity at the enterprise level to provide better endpoint security,” he says. “Have the financial procedures in place to ensure that not one person or one computer are compromised in a way that can result in theft.” Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe