Skip to main content

Blackmoon Malware

Blackmoon, also known as Banbra and KRBanker is a banking trojan which has recently started to gain traction in the wider threat landscape.
Threat ID:
CC-1392
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Email spam
Published:
8 May 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Blackmoon, also known as Banbra and KRBanker is a banking trojan which has recently started to gain traction in the wider threat landscape.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

The malware has been seen to be distributed using a new framework which is designed to evade detection and target users based on their geographical location.

Blackmoon was first identified in September 2012 and has received several updates since its creation. The latest update allows the attacker to choose a geo-location to target.

With the introduction of the new framework, the delivery of the malware now has three stages. The malware is delivered to users via spam email which includes an attachment containing the initial downloader.

When the initial downloader is executed, it performs a HTTP GET request to a hard coded URL which includes the second stage Bytecode Downloader and executes that data. Once the second stage download is complete, the Bytecode Downloader decodes the data which contains the URL for the final stage download where a .jpg file is downloaded.

The third stage runs the .jpg file and performs a check to determine the default systems language. If the malware determines it is affecting a system in a country which is not currently targeted (false), the malware simply ceases its operation.

If the check returns true, the Blackmoon banking trojan binary is downloaded, written to the TEMP folder and executed before it is deleted.

If an affected user visits one of Blackmoon's targeted bank websites, it will appear legitimate with a valid URL displayed in the address bar of the browser. However, the website displayed is spoofed by the attackers to compromise credentials and other personal information.

Targeted websites:

  • kbstar.com
  • www.kbstar.com
  • www.samsungcard.com
  • samsungcard.com
  • omoney.kbstar.com
  • nonghyup.com
  • www.nonghyup.com
  • banking.nonghyup.com
  • shinhan.com
  • www.shinhan.com
  • banking.shinhan.com
  • ibk.co.kr
  • www.ibk.co.kr
  • mybank.ibk.kr
  • wooribank.com
  • www.wooribank.com
  • keb.co.kr
  • www.keb.co.kr
  • ebank.keb.co.kr
  • hanabank.com
  • www.hanabank.com
  • kfcc.co.kr
  • ibs.kfcc.co.kr
  • epostbank.go.kr
  • www.epostbank.go.kr
  • citibank.co.kr
  • www.citibank.co.kr
  • standardchartered.co.kr
  • www.standardchartered.co.kr
  • www.naver.com
  • naver.com
  • www.gmarket.co.kr
  • gmarket.co.kr
  • nate.com
  • www.nate.com
  • daum.net
  • www.daum.net
  • hanmail.net
  • www.hanmail.net
  • 11st.co.kr
  • www.11st.co.kr
  • auction.co.kr
  • www.auction.co.kr

Remediation steps

Type Step
  • Monitor network and proxy logs for indications of compromise.
  • Make sure that malware definitions are kept up-to-date.
  • Never open email attachments or links in emails received from untrusted sources.
  • Make sure that cyber-awareness training is kept up-to-date.

Last edited: 17 February 2020 11:27 am