Blackmoon Banking Trojan Overview

Blackmoon Banking Trojan Overview

junho 2, 2017 | Adeline Zhang


The Blackmoon Bank Trojan that was originally identified in 2016 has since re-surfaced. Recently, more than 150,000 bank accounts were compromised in South Korea and the Blackmoon Trojan has been identified as the culprit. A new 2017 version has hit the financial industry and employs a new framework model primarily targeting the online banking industry.

Deployment of Blackmoon consists of three separate but interconnected steps to successfully launch the malware. This new framework is completely different from the 2016 version that relied on adware and exploit kits.

Palo Alto Networks Unit 42 analyzed compromised assets residing in Korean banks and named the exploit “KRBanker” or “Blackmoon”. Blackmoon’s attack is not the same as the traditional MITB model which consists mainly in the form of “Pharming” to redirect the user to a forged website. This facilitates illegally obtaining user’s data through an impersonation page were the user provides personal account information. When a user visits a bank’s website the Trojan detects whether the site is an attack target. If yes the user is redirected to a forged site, and if no then the user is directed to the normal site. The preceding list identifies a few of the recognized websites.


Propagation Method

 Previous Method

The Blackmoon samples discovered in 2016 were spread and infected with adware and exploit kit (EK) models. Additionally, Adobe Flash vulnerabilities may be exploited and used to install Blackmoon’s EK called KaiXin which facilitates the spread and installation of Trojans. Another way to infect is through an adware program called NEWSPOT. After the user has installed the program through the program’s update channel the Blackmoon Trojan will be downloaded onto the user’s machine and the Trojan will run and start the attack.

Current Method

From late 2016 to early 2017 researchers discovered a unique three-stage framework dedicated to the deployment of the Blackmoon Bank Trojan. The framework completes the propagation of the Blackmoon Trojan by deploying components that have different but related functions in order. Fidelis calls this process the Blackmoon Downloader framework including the Initial Downloader, Bytecode Downloader, and the KRDownloader.

The framework is closely linked and designed to run sequentially to promote multiple goals such as evasion and geolocation positioning. The multi-level downloader is specifically designed to avoid detection because functions are distributed between these separate but related components.

Sample Analysis

The BlackMoon virus file is downloaded through a new framework to the specified target machine. We have downloaded and installed the malware to introduce its attack process and function capabilities.

Stage 1: Mini Downloader

Once the ‘Mini-Downloader’ is installed there is no evidence on the machine of the exploit only a lot of garbage code which interferes with the analysis. Other samples only modified the serial number when downloading but the URL does not change. Therefore, the series will download the file named file / ad _ ## / cod ## (## for the specified serial number).

Stage 2: Bytecode Downloader

This phase of the sample is still a downloader but it is not a complete PE file. A binary code utilizes XOR to decrypt the downloaded URL and connect. Additionally, a download of the specified file is named as /ad_##/test##.jpg, and the number is the same as the number in the initial phase. Several tools exist to generate this set of attack vectors.

Stage 3: disguised as a picture downloader

The second phase of the downloaded file promotes a . JPG suffix but before the implementation of the file we will use the fourth byte of the value for the entire XOR file operation with the decryption of the supported PE file.

The sample also gets the native mac address, code page identifier, builds the URI string, and then decrypts it to send to the C2 address. After the sample is downloaded the exe file and random attached overwrite data are written in% TEMP% directory * .tmp.exe file. It then deletes itself before the implementation of the program.

Next, the sample executes the GetOEMCP () function on the infected machine to get the code page identifier and uses the embedded VBScript to get the MAC address. It then registers the current infected computer with the C2 server by sending the following HTTP GET request:

The sample uses automatic proxy configuration (PAC), which is a legitimate function for Windows and network administrators. You can define the appropriate proxy address for each URL by writing JavaScript.

The sample uses this feature to implement domain name redirection and query the local proxy server to create the following registry key.

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ AutoConfigURL =[random]/[random]

Network Rules

Because the link that is downloaded is encoded directly in the code the URL can only identify a specific sample.

Threat Intelligence Information

The NSF News Center (NTI) has increased its tracking and monitoring services of the incident with a reported 95 IoC’s identified. This included the relevant IP’s , domain names, and documents.

For more information visit the NSFOCUS Critical Intelligence Center (NTI) for real-time intelligence and tracking of the event:


Detection & Prevention

The user can shield the relevant malicious domain name to prevent the Trojan from downloading and installing.

Short-term service: NSFOCUS engineers on-site Trojan horse back door cleaning services (artificial services + IPS + TAC). To ensure that the first time to eliminate the relevant risk points within the network to control the scope of the incident and to provide an event analysis report.

Medium-term service: to provide 3-6 months of risk monitoring and inspection services (IPS + TAC + artificial services).

Long-term service: based on industry business risk solution (threat intelligence + attack traceability + professional security services)


The malware consists of a total of three downloaders. The BlackMoon Trojan can be successfully downloaded to the designated area of ​​the computer and is difficult to track and detect. The BlackMoon Trojan mainly targets the financial industry within the APAC region. Additionally, the Trojan acts as a browser middleman and re-directs network traffic to obtain a user’s PII. This results in a large number of personal account information disclosures causing a significant amount of issues.

Reference link: