BlackMoon Banking Trojan Infected over 160,000 South Koreans

Share this…

The crooks behind the recent campaign may be from China.

Over 100,000 South Koreans had their banking credentials stolen by crooks who leveraged the BlackMoon banking trojan, also detected as W32/Banbra, Fortinet researchers reveal.

The security vendor initially identified the campaign in April, when it also managed to discover an open-access directory belonging to one of the BlackMoon C&C servers.

Inside, security researchers found logs and data that revealed details about infected victims. The numbers showed 110,130 victims worldwide and 108,850 in South Korea. Bear in mind that BlackMoon uses different C&C servers, so the total numbers are probably higher.

BlackMoon campaign didn’t stop in April, after public disclosure

Since then, the company has been keeping an eye on the C&C server and gathering more data about the crooks’ mode of operation.

Fortinet says that, between May 10, 2016, and July 19, 2016, the crooks made an additional 62,659 new victims, among whom 61,255 are from South Korea.

A closer look at the files found on the C&C server shows that the criminal group behind the campaign uses BlackMoon configuration files that target 61 South Korean financial institutions.

BlackMoon, a banking trojan first discovered in 2014, uses proxy auto-config files (PAC) to hijack the user’s Internet traffic and sniff for URLs it contains in its configuration file. When this happens, the user is redirected to a phishing page instead of the real banking portal, where the crook harvests their banking credentials.

BlackMoon campaign is most likely run by a Chinese cyber-gang

In the period that Fortinet kept an eye on the exposed C&C server, the company says it detected 2,705 different BlackMoon samples, 18,969 unique victim IPs, 20,948 unique victim MAC addresses, connecting to 341 other C&C servers hosted on 26 different Web hosting companies (twelve in the US, eleven in China, four in Hong Kong).

The name of the C&C server files and source code comments were in the Chinese language, providing a powerful clue for the campaign’s attribution.

“While we were unable to verify all 100K+ victims initially displayed by the BlackMoon C2, the massive amount of unique victim IP and MAC addresses collected during our research is a strong indication that BlackMoon has able to successfully infect at least tens of thousands of users,” Fortinet’s Roland Dela Paz writes.

“Furthermore, the daily appearance of new BlackMoon samples and C2s demonstrates how active the BlackMoon threat is, and that more attention needs to be drawn to this sustained attack against South Korean users,” Dela Paz adds.

Statistics from BlackMoon's April campaign

Statistics from BlackMoon’s April campaign.