Robert Conley

The Blackmoon Trojan Framework

Blog Post created by Robert Conley Employee on May 18, 2017

Blackmoon (also known as KRBanker) is a banking trojan that was first detected in 2014.  Its purpose is to steal financial account login credentials using a man in the browser attack.  The perpetrators then impersonate legitimate users to conduct fraudulent transactions with banks or a variety of wealth management, investment, retirement, etc. services(1). In this way, Blackmoon victimizes both consumers and businesses when the campaign is successful.   South Korea is currently a primary target.


The latest version of Blackmoon uses a new multi-phase framework to evade current detection and facilitate more effective program modifications in its victims. 


Referred to as the Blackmoon Downloader Framework(1), it consists of three stages or modules which are designed to work in unison.


Stage 1-Dropper

Blackmoon propagates via a dropper commonly delivered via adware, phishing, or in some cases exploit kits.  Upon execution the dropper code spawns multiple processes, of which each is necessary to ensure a successful infection.  During the first stage, a browser vulnerability is exploited to request/receive bytecode to initiate stage 2.


Stage 2-Downloader

The second stage runs bytecode.  Its purpose is to expand the malware's functionality and resolve any functions it needs.  It then decodes an onboard blob of data with a single byte XOR. This contains the URL for the next download, from which the malware retrieves an EXE file typically masked as a JPG file to avoid detection. 


Stage 3-EXE

The framework’s final stage uses a Base64 string encoding technique to mask operations.  This obfuscation hides decoding of the Command and Control (C2) IP addresses used for bot check-in, downloading of the EXE payload, and its execution.  This stage results in a victim’s browser being redirected to a compromised website, similar to the one shown in figure 1.  After a user attempts to authenticate, their login credentials are harvested and redirected to the threat actors.


Figure 1 Source-


NetWitness Detection

RSA Netwitness Endpoint can detect Blackmoon.  Endpoint dives deeper into network endpoints to better analyze and identify zero-day, new, hidden, and even those “file-less”, non-malware attacks that other endpoint security solutions miss entirely.




Thanks to Kevin Stear, Bill Motley, and Christopher Ahearn for their contributions to this threat advisory.



These IOCs will be added to the Third Party Feed












Additional Reading-