Cybercriminals have continued to use the Blackmoon banking Trojan to target individuals in South Korea, and the malware is now being delivered via a new framework that helps evade detection.
Blackmoon, also known as KRBanker and Banbra, has been around since at least 2014 and its main goal is to steal online banking credentials from users in South Korea. Just over one year ago, Fortinet researchers reported that the malware had infected the systems of more than 100,000 of the country’s users.
Fidelis Cybersecurity reported on Thursday that it had observed two separate Blackmoon campaigns since late 2016, and they relied on a new framework that researchers have named the Blackmoon Downloader Framework.
The framework is designed to download several components over three stages, and it ensures that the malware is only delivered to users in South Korea.
According to experts, the attack starts with an initial downloader that is under 10 Kb in size. This downloader can execute any code on the infected machine, essentially creating a backdoor, but it serves a simple purpose – downloading and executing a bytecode downloader.
In the second stage, the bytecode downloader fetches a PE file disguised as a harmless JPG image. This fake image file, dubbed by Fidelis “KRDownloader,” is responsible for downloading the actual Blackmoon payload. The KRDownloader component is also designed to ensure that the infected system’s language is set to Korean. If the language is not Korean, the bot terminates.
“The framework is tightly coupled and designed to operate in sequence to facilitate multiple objectives, including evasion as well as geolocation targeting,” Fidelis said in a blog post. “The multistage downloader serves a practical purpose: It is another tactic used presumably to avoid detection, as functionality is distributed between these separate (but related) components.”
Blackmoon is designed to target a long list of websites, including ones belonging to top financial organizations in South Korea, such as Citibank Korea, Hana Bank, KB, Shinhan Bank, Woori Bank, Standard Chartered and Samsung Card.
The malware uses a technique known as “pharming” to gather valuable data. When victims access one of the targeted sites from an infected machine, they are redirected to a fake website where they are instructed to provide their credentials and other information.
Security firms previously reported that cybercriminals had used various methods to deliver the Blackmoon Trojan, including adware and exploit kits.