Robert Conley

The Blackmoon Trojan Framework

Blog Post created by Robert Conley Employee on May 18, 2017

Blackmoon (also known as KRBanker) is a banking trojan that was first detected in 2014.  Its purpose is to steal financial account login credentials using a man in the browser attack.  The perpetrators then impersonate legitimate users to conduct fraudulent transactions with banks or a variety of wealth management, investment, retirement, etc. services(1). In this way, Blackmoon victimizes both consumers and businesses when the campaign is successful.   South Korea is currently a primary target.

 

The latest version of Blackmoon uses a new multi-phase framework to evade current detection and facilitate more effective program modifications in its victims. 

 

Referred to as the Blackmoon Downloader Framework(1), it consists of three stages or modules which are designed to work in unison.

 

Stage 1-Dropper

Blackmoon propagates via a dropper commonly delivered via adware, phishing, or in some cases exploit kits.  Upon execution the dropper code spawns multiple processes, of which each is necessary to ensure a successful infection.  During the first stage, a browser vulnerability is exploited to request/receive bytecode to initiate stage 2.

 

Stage 2-Downloader

The second stage runs bytecode.  Its purpose is to expand the malware's functionality and resolve any functions it needs.  It then decodes an onboard blob of data with a single byte XOR. This contains the URL for the next download, from which the malware retrieves an EXE file typically masked as a JPG file to avoid detection. 

 

Stage 3-EXE

The framework’s final stage uses a Base64 string encoding technique to mask operations.  This obfuscation hides decoding of the Command and Control (C2) IP addresses used for bot check-in, downloading of the EXE payload, and its execution.  This stage results in a victim’s browser being redirected to a compromised website, similar to the one shown in figure 1.  After a user attempts to authenticate, their login credentials are harvested and redirected to the threat actors.

 

Figure 1 Source-https://blog.fortinet.com/

 

NetWitness Detection

RSA Netwitness Endpoint can detect Blackmoon.  Endpoint dives deeper into network endpoints to better analyze and identify zero-day, new, hidden, and even those “file-less”, non-malware attacks that other endpoint security solutions miss entirely.

 

 

 

Thanks to Kevin Stear, Bill Motley, and Christopher Ahearn for their contributions to this threat advisory.

 

 

These IOCs will be added to the Third Party Feed

r.pengyou.com

baoro.org

dmdan.co.kr

www.leeve.co.kr

2.22.8.162

 

Hashes

9ccb6b7626c9574697cabfac2574b4c6bb8a6a0b76789dfc537ba5eb2bbbc6cd

b50249b6d223f6d947e14ced2133992504d6397a3284945eb684270776f360f3

9fcdf3aac12e582bfd214b3fdcf620015633bef333989dfcf2119fe779efd695

cecc2cbe9038587618290cbd6a9bb3ffd73ce79c36be71a33c16a982f10f50ed

b2d0290e237c6e03fe589767e07dfa344192bbc63e59b9fea4fcb81ccf8da73f

a6b0379b194d81da387ad092f04bb1094a07e29156803b4244fd9f0b4b222ce0

d0e0335ccabcfedb481aadebcb0379e6b8c45591ef946a51dbe524366f81f749

ab149cce386655799d79ccbffc9f11601dc0ec514abc9788c4e76fbb5f00fcc6

 

Additional Reading-

(1)https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework

https://threatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/

https://blog.fortinet.com/2016/04/23/over-100-000-south-korean-users-affected-by-blackmoon-campaign

http://www.darkreading.com/attacks-breaches/blackmoon-banking-trojan-goes-modular-/d/d-id/1328814?utm_content=53913196&utm_medium=social&utm_source=twitter

https://www.scmagazineuk.com/trio-of-downloaders-used-in-recent-blackmoon-banking-trojan-campaign/article/655131/

Outcomes