Cybercriminals have continued to use the Blackmoon banking Trojan to target individuals in South Korea, and the malware is now being delivered via a new framework that helps evade detection.
Blackmoon, also known as KRBanker and Banbra, has been around since at least 2014 and its main goal is to steal online banking credentials from users in South Korea. Just over one year ago, Fortinet researchers reported that the malware had infected the systems of more than 100,000 of the country’s users.
Fidelis Cybersecurity reported on Thursday that it had observed two separate Blackmoon campaigns since late 2016, and they relied on a new framework that researchers have named the Blackmoon Downloader Framework.
The framework is designed to download several components over three stages, and it ensures that the malware is only delivered to users in South Korea.
According to experts, the attack starts with an initial downloader that is under 10 Kb in size. This downloader can execute any code on the infected machine, essentially creating a backdoor, but it serves a simple purpose – downloading and executing a bytecode downloader.
In the second stage, the bytecode downloader fetches a PE file disguised as a harmless JPG image. This fake image file, dubbed by Fidelis “KRDownloader,” is responsible for downloading the actual Blackmoon payload. The KRDownloader component is also designed to ensure that the infected system’s language is set to Korean. If the language is not Korean, the bot terminates.
“The framework is tightly coupled and designed to operate in sequence to facilitate multiple objectives, including evasion as well as geolocation targeting,” Fidelis said in a blog post. “The multistage downloader serves a practical purpose: It is another tactic used presumably to avoid detection, as functionality is distributed between these separate (but related) components.”
Blackmoon is designed to target a long list of websites, including ones belonging to top financial organizations in South Korea, such as Citibank Korea, Hana Bank, KB, Shinhan Bank, Woori Bank, Standard Chartered and Samsung Card.
The malware uses a technique known as “pharming” to gather valuable data. When victims access one of the targeted sites from an infected machine, they are redirected to a fake website where they are instructed to provide their credentials and other information.
Security firms previously reported that cybercriminals had used various methods to deliver the Blackmoon Trojan, including adware and exploit kits.
Related: Targeted Malware Campaign Uses HWP Documents
Related: “Duuzer” Trojan Used to Target South Korean Organizations
Related: Cyber Gang Steals Millions From Mobile Banking Customers in South Korea

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
