By GoldSparrow in Trojans

Threat Scorecard

Ranking: 7,732
Threat Level: 80 % (High)
Infected Computers: 44
First Seen: July 22, 2016
Last Seen: September 18, 2023
OS(es) Affected: Windows

The BlackMoon is a banking Trojan that has infected more than 160,000 devices in South Korea. PC security analysts suspect that the con artists responsible for the latest BlackMoon campaign may be Chinese in origin. The BlackMoon may have been responsible for the theft of more than 100,000 banking credentials. This threat is also detected as Banbra or W32/Banbra. This BlackMoon attack was first detected in April of 2016, through the identification of an open access directory that was part of a the BlackMoon Command and Control server. This directory contained personal information about the BlackMoon's victims. The results were astounding: 110,130 victims around that world, 108.850 in South Korea, were detailed in this report. It is likely that the number is quite higher since this Command and Control server was unlikely to be the only one.

The BlackMoon campaign did not end in April of 2016. PC security analysts have continued to observe the compromised BlackMoon Command and Control server to learn more about how the attacks are carried out. Since May of 2016, the BlackMoon has claimed an additional 62,659 victims, 61,255 in South Korea, through that Command and Control server alone. The BlackMoon is designed to target South Korean banks in particular. The BlackMoon's configuration files show that it can be adapted to target 61 different South Korean banks.

The BlackMoon Modus Operandi and Its Possible Origins

BlackMoon was first observed in 2014. This banking Trojan uses proxy auto-config files (PAC) to take over the victim's Internet traffic and search for addresses matching a list of bank URLs in its configuration files. Whenever the BlackMoon detects that the victim is going to visit a banking website, the BlackMoon redirects the victim to a phishing website instead of taking them to their real online banking page. The victim, believing to be on their bank's website, will enter their password and login information, essentially handing over their personal data in the process. It is likely that the recent the BlackMoon attacks are being perpetrated by a con artist group in China. The designation of the Command and Control server files and source code comments were all written in Chinese. This BlackMoon attack, in particular, is proving to be quite extensive, targeting tens of thousands of computer users. Attention needs to be brought to this sustained threat campaign against South Korean users as a way to protect end users and make them aware of the possible risks of using online banking without proper security safeguards.

Details of the Most Recent BlackMoon Attacks

The BlackMoon attack is not particularly original, typical of most of these banking Trojan attacks. However, the BlackMoon's distribution and delivery strategies continue to evolve, making it especially threatening in this latest attack. The BlackMoon may be delivered as an executable file downloaded from an infected website. This executable will extract a DLL which runs in the background and monitors the victim's online activity. Sometimes the BlackMoon can be recognized easily because it will cause the affected computer to display cryptic pop-up messages. The message (usually written in Korean) that appears when computer users try to log into their banking website says:

'Financial Supervisory Service is conducting an authentication process did you install the security certificate for this PC?

※ Certificate must verify the security and privacy of information leakage incidents in the auction using Internet banking Guests prevent financial fraud, please see below.

※ You cannot access the Internet Banking more safely receive the security certification process.

※ Please click the bank name that you use to proceed to the secure authentication procedures.'

Assessing these links leads computer users to fake banking websites that contain bogus content that was misappropriated from legitimate online banking pages. Computer users can best protect their machines by installing a reliable security program that is fully up-to-date and activating all security safeguards, such as a two-step authentication, on their online banking accounts.


Most Viewed