Security Experts:

Connect with us

Hi, what are you looking for?



Blackmoon Banking Trojan Continues to Target South Korea

Cybercriminals have continued to use the Blackmoon banking Trojan to target individuals in South Korea, and the malware is now being delivered via a new framework that helps evade detection.

Cybercriminals have continued to use the Blackmoon banking Trojan to target individuals in South Korea, and the malware is now being delivered via a new framework that helps evade detection.

Blackmoon, also known as KRBanker and Banbra, has been around since at least 2014 and its main goal is to steal online banking credentials from users in South Korea. Just over one year ago, Fortinet researchers reported that the malware had infected the systems of more than 100,000 of the country’s users.

Fidelis Cybersecurity reported on Thursday that it had observed two separate Blackmoon campaigns since late 2016, and they relied on a new framework that researchers have named the Blackmoon Downloader Framework.

The framework is designed to download several components over three stages, and it ensures that the malware is only delivered to users in South Korea.

According to experts, the attack starts with an initial downloader that is under 10 Kb in size. This downloader can execute any code on the infected machine, essentially creating a backdoor, but it serves a simple purpose – downloading and executing a bytecode downloader.

In the second stage, the bytecode downloader fetches a PE file disguised as a harmless JPG image. This fake image file, dubbed by Fidelis “KRDownloader,” is responsible for downloading the actual Blackmoon payload. The KRDownloader component is also designed to ensure that the infected system’s language is set to Korean. If the language is not Korean, the bot terminates.

“The framework is tightly coupled and designed to operate in sequence to facilitate multiple objectives, including evasion as well as geolocation targeting,” Fidelis said in a blog post. “The multistage downloader serves a practical purpose: It is another tactic used presumably to avoid detection, as functionality is distributed between these separate (but related) components.”

Blackmoon is designed to target a long list of websites, including ones belonging to top financial organizations in South Korea, such as Citibank Korea, Hana Bank, KB, Shinhan Bank, Woori Bank, Standard Chartered and Samsung Card.

The malware uses a technique known as “pharming” to gather valuable data. When victims access one of the targeted sites from an infected machine, they are redirected to a fake website where they are instructed to provide their credentials and other information.

Security firms previously reported that cybercriminals had used various methods to deliver the Blackmoon Trojan, including adware and exploit kits.

Related: Targeted Malware Campaign Uses HWP Documents

Related: “Duuzer” Trojan Used to Target South Korean Organizations

Related: Cyber Gang Steals Millions From Mobile Banking Customers in South Korea

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.