Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:55 PM
Connect Directly

Blackmoon Banking Trojan Goes Modular

Threat actors have begun using a new and unique framework to deliver malware to web users in South Korea, Fidelis says.

A new cyberattack campaign targeting users in South Korea with the Blackmoon banking Trojan is the latest example of the constantly evolving tactics employed by threat actors to evade anti-malware tools.

Fidelis Cybersecurity over the last few months has observed cybercriminals using what it described as a "unique and interesting" framework to deliver Blackmoon, the company said this week. The tightly coupled framework uses three separate downloader pieces that appear to work together to install the malware.

The first module consists of a very small downloader that in some instances can be less than 5KB in size, Fidelis said in a blog this week. The function of the downloader is to make a request to a hardcoded URL and to download and execute the response data. The two other modules contain similar instructions for downloading and executing other components of the malware, separately but in a tightly coupled sequence.

The goal in decomposing the malware and distributing its functionality across multiple components appears to be twofold, says Hardik Modi, vice president of threat research at Fidelis.

"The intent behind the multi-stage downloader is clearly to evade detection," Modi says. "Also, making it modular like this means you can change or improve one component, without impacting the rest, " he says.

For instance, the design makes it easy for the malware authors to switch the targeting of the malware from Korean language users to any other language.

Blackmoon is a banking Trojan that security researchers first reported seeing back in 2014. Like other banking malware, Blackmoon is designed to steal the username and passwords that people use when logging into their online banking account and other financial accounts such as retirement savings accounts. The malware is typically distributed via an exploit kit or through malicious websites and online advertisements.

For the moment at least, the Blackmoon attack campaign is focused purely on stealing Web credentials from users of more than 40 financial services websites in South Korea. Among those being targeted are users of Samsung Pay, Standard Chartered Korea, Citibank Korea, Hana Financial Group, and KB Financial Group.

Security researchers at Fidelis believe that the specific version of Blackmoon that is being distributed via the new framework was used to steal online banking credentials from at least 150,000 people in South Korea last July. "The banking Trojan in itself isn't particularly exceptional, but the multi-stage framework created for its delivery reflects a degree of investment and innovation that we typically don’t see in these campaigns," the researchers wrote.

Just because the malware so far is only targeting victims in South Korea shouldn't lull other regions into believing they are safe, Modi says. The malware's design makes it trivially easy for the authors to alter its geo-targeting and point at users in other countries as well.

"While our observation is that this campaign is very targeted at South Korean online services, this is simply reflecting the choice of the adversary in this specific instance," he says. "It would require very little instrumentation to adapt the framework and malware to operate against US businesses and consumers," Modi says.

Regional campaigns such as this operate all the time and are significant because there is no telling when they will be broadened. Even if the specific components in Blackmoon are not directly used against US targets, success in South Korea would likely mean that these tactics will be adopted in future campaigns in other geographies, he says.

Related Content:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
PUBLISHED: 2021-06-17
In Fiyo CMS, the 'tag' parameter results in an unauthenticated XSS attack.