• United States



Senior Editor

Blackmoon banking trojan returns with new framework

May 17, 20174 mins
IT SkillsSecurity

Fidelis Cybersecurity describes the new way Blackmoon was delivered to South Korean financial institutions and offers advice for preventing future attacks.

trojan horse virus
Credit: Thinkstock

Since last year, Fidelis Cybersecurity Threat Response observed two man-in-the-browser attacks on South Korean financial institutions that used the Blackmoon banking trojan. An earlier attack last July stole credentials of more than 150,000 Korean users.

The July and later attacks had the same goal: stealing login information from financial services website users. The attacks also targeted services from a range of websites where people can manage money including banks, wealth management firms and retirement investment services. Blackmoon, also known as KRBanker or Banbra, captures users’ account name and password when they type them in—the so-called man-in-the-browser attack.

What’s different about the latter attacks is the way in which Blackmoon was delivered. This version used what Fidelis has named the Blackmoon Downloader Framework. That framework uses three separate downloader pieces that seem to work together to deliver the Blackmoon payload to systems in targeted geographies—in this case, users’ devices and financial institutions in South Korea. Those institutions include Samsung Pay, Citibank Korea, Hana Financial Group and KB Financial Group. The Blackmoon Downloader Framework delivers malware in a variety of ways, including via adware campaigns and exploit kits.

(A full list of known targets and more technical details of the attack are available in Fidelis’s report.)

blackmoon sequence graphic Fidelis Cybersecurity

Blackmoon Downloader Framework sequence

Although Blackmoon targets users, financial institutions will feel the effects. “Targeted services and their users should be on guard since successful theft through such malware could significantly impact the confidence users place in affected financial services companies,” says Hardik Modi, vice president, threat, at Fidelis.

[Related: –>Windows Trojan hacks into embedded devices to install Mirai]

South Korea being the target has led some to suggest that North Korea instigated the Blackmoon attack, but that may not be the case. “South Korea is a market with advanced internet usage, making it a natural target for a banking trojan,” says Modi. “In terms of the culprit, it’s not uncommon for multiple threat actors to be using a common framework that they have each acquired. While we cannot rule out North Korea for having involvement in this campaign, it is likely that the attacks involve common cybercrime actors.”

Modi adds that similar attacks have occurred in the U.S., Italy, Germany and New Zealand. “It would not surprise me if the targeting is changed and the trojan is used in other regions. We see it all the time,” he says. Modi adds that this latest Blackmoon delivery method and other similar tools may be available for purchase on the dark web.

Key findings from the Fidelis report include:

  • The “unique and involved” tri-stage Blackmoon Downloader Framework provides multiple capabilities to be deployed in separate, but closely related, components.
  • The framework is tightly coupled and designed to operate in sequence to facilitate multiple objectives, including evasion as well as geo-location targeting. The multistage downloader is another tactic used presumably to avoid detection, as functionality is distributed among the three separate but related components.
  • The framework itself is configured to deliver the malware only to systems where the default language is set to Korean. 

Blackmoon prevention 

Blackmoon has two sets of victims, says Modi: the financial institutions and the users of their services. The financial institutions are in the best position to prevent damage to themselves and their customers from a targeted attack like Blackmoon.

“The best protection for themselves and their users is for financial institutions to use multi-factor authentication,” says Modi. Attackers count on websites requiring only a username and password, he adds. Making multi-factor authentication the primary line of defense adds layers to crack and will encourage most attackers to move on to easier targets.

[Related: –>Open-source developers targeted in sophisticated malware attack]

Modi advises consumers of financial services, who might be individuals or businesses, to use providers that have multi-factor authentication in place. He also says that organizations should secure all devices that employees use to access services. “There is more opportunity at the enterprise level to provide better endpoint security,” he says. “Have the financial procedures in place to ensure that not one person or one computer are compromised in a way that can result in theft.”