BlackMoon Banking Trojan Compromises Over 100K South Korea Banking Accounts

A relatively new banking Trojan horse, called BlackMoon, is on the scene to overtake online banking account login credentials. BlackMoon was identified by the security firm Fortinet, calling it W32/Banra. Through their research, they found that BlackMoon has a campaign that consists of its command and control servers and several compromised computers that form a botnet to overtake South Korean banking credentials. So far, BlackMoon is suspected of compromising over 100,000 South Korean banking account credentials.

BlackMoon was first identified running a scheming campaign back in 2014. Just this year, during April of 2016, just over 60,000 victims were attacked to uncover their banking details. Most of the victims were located in South Korea making BlackMoon a threat that targeted specifically in that region.

The authors of BlackMoon use configuration files that explicitly target about 61 South Korean financial institutions. With that in mind, it appears that the BlackMoon attackers are set on targeting banks that are only located in South Korea where it the Trojan sniffs out targets' Internet traffic in the region to pinpoint its next attack. Computer users targeted by BlackMoon are usually redirected to a phishing site that looks to be a banking page where login credentials are stolen. Such a common method has long been used for obtaining banking logins or other online account credentials.

The researchers at Fortinet suspect that a Chinese cyber gang runs BlackMoon and its banking credentials theft campaign. In coming to that conclusion, Fortinet was able to examine the exposed command and control (C&C) server that BlackMoon communicates with and receives its instructions. Among the thousands of victim IP addresses and just over 2,700 samples of BlackMoon found, researchers concluded that there 314 C&C servers hosted on 26 different hosting companies. Among those hosting companies, they were found to be in the US, China, and Hong Kong. Other giveaway clues as to the perpetrators behind BlackMoon being a Chinese cyber gang is that within its code there are several comments made in the Chinese language.

Currently, BlackMoon is steadily increasing its number of victims. Harvesting a plethora of banking credentials through its phishing site portal has afforded BlackMoon to collect a good amount of information on its targets. Through verification of some victims, Fortinet was able to know with a certainty that BlackMoon has so far been able to infect tens of thousands of users successfully at a minimum. Though, the exact number is not known as all 100,000 or so victims cannot be identified through the limited number unique victim IP and MAC addresses collected.

South Korean users are urged to be on the lookout for phishing pages that attempt to mimic banking login pages. The nature of the cybercrooks who spawn phishing sites to look like legitimate banking sites are very crafty and could make away with many more login credentials by leveraging BlackMoon and its capabilities. Moreover, we could see BlackMoon break out of South Korea and target online banking users in other regions of the world. We suspect that it's only a matter of time.