# Blackmoon Rising: Banking Trojan Back with New Framework **[fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/](https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/)** **Author** Threat Research Team May 4, 2017 The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... [Read More](https://fidelissecurity.com/threatgeek/author/threat-research-team/) Comments May 4, 2017 Banking trojans – true to their name – typically steal web credentials from users of financial services websites. Targeted services can include banks, wealth management firms, investment banks, retirement investment services companies and others – essentially any ----- website where money can be accessed and managed. Hoping for a lucrative payday, attackers steal credentials by performing a ‘man in the browser’ attack. In this attack, a trojan is used to capture credentials that a victim unwittingly enters when they access their financial account online. Not surprisingly, this type of attack can have a significant impact on the individual as well as the organization operating the service. Man-in-the-browser attacks have been a popular choice and play a key role in delivering the payload stage (i.e. malware) in numerous campaigns — including the Blackmoon banking trojan that [stole credentials of more than 150,000 Korean users in July 2016.](https://blog.fortinet.com/2016/04/23/over-100-000-south-korean-users-affected-by-blackmoon-campaign) From late 2016 into 2017, Fidelis Cybersecurity Threat Research observed two separate campaigns that delivered the Blackmoon banking trojan while utilizing a unique and interesting framework. A key characteristic of that framework involved the use of three separate downloader pieces that appear to work together to ultimately deliver Blackmoon (aka, KRBanker) malware onto geo-targeted systems. Interestingly, the campaign that we observed is designed to operate on systems operated by Korean users and targets multiple South Korean financial institutions. In this report, we provide details on the Blackmoon Downloader Framework to assist the threat research community. ## Key Findings: A unique and involved tri-stage framework has been observed specifically delivering the Blackmoon banking trojan. The framework provides multiple capabilities to be deployed in separate, but closely related, components. We’re calling this framework the Blackmoon Downloader Framework. The framework is tightly coupled and designed to operate in sequence to facilitate multiple objectives, including evasion as well as geolocation targeting. The multistage downloader serves a practical purpose: It is another tactic used presumably to avoid detection, as functionality is distributed between these separate (but related) components. The campaigns we’ve observed using the framework are clearly operating against South Korean targets. The framework itself is configured to only deliver the malware to systems where the default language is set to Korean. Numerous South Korean websites are observed in the Blackmoon sample, including Samsung Pay, Citibank Korea, Hana Financial Group, KB Financial Group and others. A full list of observed targets is available at the end of this post. ----- ## Stage 1 – Initial Downloader The initial downloader piece is very small, and some instances can be under <10KB in size. This size is not surprising, however, as the downloader has very basic functionality: Perform a GET request against a hardcoded URL, Download the response data, and Execute the data. Responses are normally around 8KB in size and the bytecode is transmitted in the clear. While all the instances of this bytecode we found are roughly designed to accomplish the same thing, it should be noted this technique allows the actors to run any code they want on the infected machine. In this respect, this technique essentially serves as a backdoor. The string for the download location of the bytecode URL is hidden by moving a single character at a time into position. ----- ## Stage 2 – Bytecode Downloader Upon execution, the downloaded bytecode simply resolves any functions it will need. It then decodes an onboard blob of data with a single byte XOR. This contains the URL for the next download, which we observed to be a single-byte XORd PE file named as a jpg. The naming of this entire structure is interesting. The bytecode is downloaded from the file path ‘/ad_##/cod##’ and the PE file downloaded as ‘/ad_##/test##.jpg’. This caught our attention because the numbers are the same when you go through the entire chain. This makes us estimate that all of these files are built at the same time, which would make each number a build number. Further, we estimate that, because none of the files appear to be generated on the fly, the XOR keys are all hardcoded in each subsequent section. ----- **Based on this information, we conclude that the stages of the framework were all built** **to operate together in this sequence of events.** ## Stage 3 – Fake Image KRDownloader This bytecode then downloads and runs a PE file that is XORed and has a jpg extension. The file, however, is only pretending to be an image like its name suggested. All related campaigns had similar names revolving around ‘test##.jpg’. This downloader has a **specific check to verify that the user’s default system language is Korean. When the** user’s language is not Korean, the bot simply dies. Korean Langauge check This portion of the framework also uses a string encoding technique that has been previously discussed by researchers from Palo Alto Networks. The framework, related to KRBanker/Blackmoon, encodes the strings with base64, swaps the case of the letters, and replaces the padding character ‘=’ Swith ‘@’. Replace @ with = ----- Swap the case of characters The decoded strings are interesting — one of a URL to download another ext file, and one of an IP. The bot first downloads the exe file and checks that the downloaded data has a MZ for the first two bytes. KRDownloader MZ check There’s another string, however, that is hidden in a similar manner to those from the initial downloader. This leads us to understand more about this next phase in the infection chain. ----- String stored one byte at a time This string de-obfuscates to two strings associated with KRBanker check-in traffic from other reports. >>> binascii.unhexlify(‘63612e7068703f6d3d0026683d393439’) ‘ca.php?m=x00&h=949’ This function also creates the URI string that is associated with KRBanker activity from reports /ca.php?m=&h=949. After building the URI string, the malware then decodes the C2 address that it will check-in to. After check-in, the bot writes the downloaded exe file, along with random appended overlay data, to %TEMP% and then executes the program before deleting itself. ----- Building process creation string This is another downloader with some functionality to customize infections to geographical locations that the actor wishes to target. Since the coding styles between this downloader and KRBanker/Blackmoon are very similar, along with the similar C2 check-in, we decided to call it KRDownloader. ## Blackmoon Trojan The malware being delivered by the Blackmoon Downloader Framework has been previously reported by researchers as Blackmoon/KRBanker/Banbra. It has been seen being delivered [in a variety of ways, including via adware campaigns and](https://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/) [exploit kits.](https://malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html) The initial aspects of the malware appear to line up with reports revolving around traffic, whereby the malware gets the IP addresses it needs by using QZone and Pengyou responses to cgi_get_portrait.fcg?uins= requests. By decoding some of the onboard strings, we can quickly compare a recent sample with a previous sample. It should be noted that the strings from both samples are encoded in precisely the same way: **HexToText(Rc4_Encrypt(key, HexToText(Rc4_Encrypt(key, clear_string))))** Psuedocode of string encryption Further, the similarity is such that the same RC4 keys can be used to decrypt the strings from both samples. ----- [The sample from previous adware based campaigns we used for this exercise is](https://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/) 006cb2c12c577f7d8105a2e8a1bfc9cd13b2a7b8001664e74605bb530cf6a4a4 This allows us to conclusively state that this framework is delivering the Blackmoon banking trojan. _Note: Fidelis Cybersecurity products were used to detect all threat activity described in this_ _report._ ## IOCs **Domains:** baoro(dot)org dmdan.co(dot)kr **Framework Hashes** **Initial Downloader:** 13d21f0004a7f98d0c180508b261043ef30866a58533cfb55f771f8e1e946342 1b90278909438ff1ff72a1245ea55a285efdb14855363f861f81a0476c9347ff 1589f2e0f76dd6919caa580fe7da16bf82a5291ca01796fd3216db9816dd8344 1da6df60ba11b6a45c79146e1a02e0cedfce5d1ddb8b61f9f8d8c80a296efa77 15fc7c885c37af8489adeabf5e669ebc52ee42b9c141bb73fe5478c540933557 1dc037b96e5ff45a373f8151f358bc61674acd5d18e9ecfd92ba09c6ba752820 0c7a36edb35b602ddda7211538545290b51d836698be0303db205af114b5030b 185f86bbc358727ce18f587aa2771084fdf420fc6a5b99e33602661be8ad13c1 0871e2a68290ed675e1f23e9a2b69e08474a4d5320cd629ef7f188ecf2520435 225fbca583377a1ddb7b986dc7515afb4c45d5b6c065f8dfc1545375c7e13fb2 3970560f3d57d3376b5a8c130a9823448b456fb66de89f74a5c6145562dcff40 49fd623de8eda59482ee7fde6be68d50943b79b7d76ee4a090ccf940ecd3bbce 5d68030f8d9439eb252e63d0b5de473e99f0fc90eedc1f21d510400c9be7a8e4 3dc41af1fa7385649de00d5b95850539c9224a1c2633cf4ac1060545ad2b6a56 22d5fb9ffd29f42eca5e30c1ae4c7cc23dc18a0e7b5bc829e73168fe13e0ee5d 607e6606087a77a2ad7a57c3cb99d6c340ff30d11438df7328e6de06e04762ea 4c7776822c56b44eb1b083db2aacdb45490a8c6f51f6ca825991a2590dec7836 5f307c3aebfffc9e8040edf9899fcf2cac01b8aac5a0632c298170b9d54522ab 3e53b234dc6b98df9a7e040ce692b2d5048267c4b3399fde56b7b676a6bdf2c3 52e57d24ffe53da4e6ba6a56ccddd12f0d0d32bd165cf4fada7ce9fe432290d4 2f8b044ed5fed2ab7b607ebe7429253f720a56c42bc5b0f834c265267a17b74b 660ab89813c667c3fffd8cfac2ac410893501d157c366471b5a57fca2b6ca1f0 32f64e7875c6cd138f0139bdd2c8f29008ee519f6e44b2ebed2ee735380fe768 ----- 5a825596291d9123acaf4ad4546125d65fccebe40fe7451fc1c9309b0a6aac18 55c98b3454d9d91c7a5056813d1a5318511ecbc0d6f63c52bd9e0b57376a98c2 94f5f8f004193c1918cca904d345fd209e41e15c69a6cdfdc738e050decc36cd 9c6a9fcdbe3cc38563107b787c82cc1bc0023dd1e1a3c0bfdcfb6e7e30c2de11 6c4ee25fe12cc5cb5f9e57605b1ca1e7dda5f31c48c919d38174138f8ea5951f 8a52635bb3564d505b0dec4f3a3b702ff34e44f60841435577f9828fe0d468bc 7cdbf0a4fadc0112b0caedb4efd8ae1427ed94b817d4fc1b4bba72d9d6f2bc44 951a0186b949d102128da2a5beaf770b482f754141b1d75bfd4f0ecfecc20845 6eca0451b45a6b4ac84794d9666f4b6baa15f64914be7e5e125a37963af9b330 8a8eaaba0ba749a319e3763d244e725a289b8597956b9cb959b5fbb941be12fa 80873c5bf9cc9835669b84c4a69034bc0eeca79e9f0925f1d6a86fded0cb6532 70024352a4b58bfac6086dbaee03ab1513a83564b8e69791cd5721d0c9ea59e7 96c4a20cafd6283d770d29de122fcfcef52f13dd8b96844f652ce8f1a55354e2 81f346a457f15748da93c9f674aa50dc1f3ddaf5d0792913796ee04d1a90a5fc 9d10898a128473f70fcf73b1b517a3bd3e669701c3bc61b5665a0e97b33aa1c5 9366a18dbd97f6cc6bb6883c5ce612e1dc1a580220f0b235db991dcd3b50ad6d 9bdf054f58e74fa092d86c9fb816a641811ceb131b2021a560797ff902401b26 9d0f122747e27b379cc4ee405438473d1813ba5bc90718f5e4573b0348a3cfc9 7207c99db0b3f91949af846a40d7090b0ea129295862e3d9a966c45f051b1368 865a0b0e257908a7d9ad7026e35e88be46576fd18b961a6de4ef4ab85e2ef6d7 b50249b6d223f6d947e14ced2133992504d6397a3284945eb684270776f360f3 9fcdf3aac12e582bfd214b3fdcf620015633bef333989dfcf2119fe779efd695 cecc2cbe9038587618290cbd6a9bb3ffd73ce79c36be71a33c16a982f10f50ed b2d0290e237c6e03fe589767e07dfa344192bbc63e59b9fea4fcb81ccf8da73f a6b0379b194d81da387ad092f04bb1094a07e29156803b4244fd9f0b4b222ce0 d0e0335ccabcfedb481aadebcb0379e6b8c45591ef946a51dbe524366f81f749 ab149cce386655799d79ccbffc9f11601dc0ec514abc9788c4e76fbb5f00fcc6 b7c24a2f49d56b205d938e313c0c3a3bd9199385d42c76c515b4aa7b43e9cf61 b6d9b7b4c0a783582a1c6f059f6226e99675d43fd47cf2540c3b6b7fe0f91523 b8e654f37791a6eef9f3929d8d377b559f2f1f58dfcf6af45e41bac388737b55 d49b2e89dd6567b656b52a53c78e9b561f31eda36e33c97a925d7fcadf8a7733 b0280a8d4493b4e62321091fda857059a0a8b1238eb5c6cf4f3b319cdabfc5ef b46aa9ecd51052db88242f63cdfcabcf93f1af2798ee3d0768f29900b54757f9 c40e3defa3c07228b1100d16e112a82c459727a7b7e9d272e4a42b345130a679 b07d72fd0eeb98f4bbf520461c9d0569cd3162292fab72645352a6219c9d3fba f41b64ccaed768ce85882572ec1985186337b8263ca8ed525f025d220596da02 e099ee574a1311cfb4cb077ebb51f4b60aae3ae3d7e6ffeeb6ae868477e1814d f141dfc4ff25917e5225848e09ae848f16466a06fad22b8e196761b9396049ff fb70da3ab6c84cf42c85d8b4ada1de7954f957043da4c55688429a0fbe797139 e74a20aeefffde432af4941a4e0e927d383b6ff8e52039052e1e5670ef133300 f9522e92e6290516dab4e0278e7ea525a33ef3815ca1ee6074461e545294588e f39b9b41bde2091207c08dba42db26b7898c40ca42f6ad1eefc2e8d442efea74 ----- ec97c8ef25cebaa4b47c52301120933d6d05cf2af5de4ed030afb099a05c0d88 fea4c00ca8206d51d34cdeb8c234e790cce0f8c8a4df760b77b3a7a023503214 f3d5c3ee9a6a96d888bb8e5964945cf80a8997350c1e758042bed4b80e85a5c2 ede62f5a6fad9fd1f4128dbb6edf277e3298e6013e1bb0e8f0c2f9284dcda79b ## Bytecode downloader: 5de4450d1750a26dd91b761679eb1add6521bf0dbf4838420b609cd6d3b32624 a968a422d48d091d68bf6f385939c36c133d321affd2bc7d1b5f7c3dfe4ee9ac 7fe0d7c2ef411e5314d26d1669c6dea30320be932feb236b92ffe6d8d835f40f 8331c000dccb233e6ea03cff88dd07a10934ff08b5a389e81738f6f4cd0ca511 7711be8e3fe37dcd7eac9ac860a3f2fe4be710aacddd451f838da0fb09b66ab3 a3a47c71eff1c5e7d931bca67bd671a1fb35fdeccb717fc3eec2ba230a98f504 7eb050c7a99dc7424ce7a0f9d6c35a5f9ff4c57b301823dd42d2edf146f356e8 f240819c63a298bcca117bcd623552a89c5e337ee7afc68825c91c757ad5dff5 ## KRDownloader: 818000a9178222c527efeb06bf70c2bc6e238488114690dbe53c30f24783e46f 20a8ffc6f7b926e29502975c011b1e4d2b2f6d693eefa3d2cd6ad615dcb9afdf 789ea5ab366a689184bd40b465e11bcadf6a09d072529d600af4a67164a3b47a f8bc57a8759432f01548f18f98d7d21268748e8c1df1ded99291d14e50e9d1e2 4dd1a7267f4c277c17b6e79ff86715aab0a13937c4ee2e56bff1238af2433bfb 624ac655f193cf240ddaa6dfabf6b5f44315b8b4e04cf245a457cb7d400f09dcC 1de6d70778a02ec9fc61c303dc2713318930bf2c9ebf2e8f5554b990545e9fd9 1528bebe73b2f3a7ad5b05de216c6f5b5db0622fb4e51889974772b3d1c64ae5 184288e15b0af9fb945d7876a0f3b04dd3f049a373d5eeaf41211b43d1b9a91c 7f9693e157dde6b5564c67f90e34a2d4ab2f30d49ba636733ff7f6dd9a1ed503 9d5b746b80a9dc8d24398d65b8514d64616e158cbfbda36aea46e462c26e9974 0a22697123e7bcbc9aee3dcc633ff1268377b92c2296385e79d158f7d0367c8c ## Downloaded malware hashes: 341ab5b38188ee8aac5a3cc3254bfaacf560824ff85ad90c77b5a450fdfb6c45 9947f10589e82d849918c888c6c58085138aa4b4fd16db0e4c2a0c9c3a7914a0 f7e24a2620f735b974d347ccfcbe056e387bd69cc026e855181f7c43ccc06033 65c55e1e1761e16a0a40f01f82caaf9b8fbf44789ed36ce5818929e03f5b0ac8 cb0edc2e7c45b341c40c784389c0157d9dd2c78e023b645681f78e658d69c512 f1050528c2b7a051c792a0921f81adda99815686117c93308b1d90ab54ab9329 a6733f2e5d660ca8c0c0ec9bf31c944a1e26cc05c9dca1f6398caa5bfe09dda6 4a1d745cc906aec0d76eaf207c9a659802c7bedf0341700dc329dfcf4ee43e94 0cc9466c66b6ddac877cacef271f924dd4c205fa0b34da7ffa1dc810f84bbe0d 25316c432e97c45f6a4bfd28f642939f5f381bdfe8e50a74cde1bace759a8df0 ## Blackmoon/KRBanker target list: ----- kbstar[dot]com www.kbstar[dot]com www.samsungcard[dot]com samsungcard[dot]com omoney.kbstar[dot]com nonghyup[dot]com www.nonghyup[dot]com banking.nonghyup[dot]com shinhan[dot]com www.shinhan[dot]com banking.shinhan[dot]com ibk.co[dot]kr www.ibk.co[dot]kr mybank.ibk[dot]kr wooribank[dot]com www.wooribank[dot]com keb.co[dot]kr www.keb.co[dot]kr ebank.keb.co[dot]kr hanabank[dot]com www.hanabank[dot]com kfcc.co[dot]kr ibs.kfcc.co[dot]kr epostbank.go[dot]kr www.epostbank.go[dot]kr citibank.co[dot]kr www.citibank.co[dot]kr standardchartered.co[dot]kr www.standardchartered.co[dot]kr www.naver[dot]com naver[dot]com www.gmarket.co[dot]kr gmarket.co[dot]kr nate[dot]com www.nate[dot]com daum[dot]net www.daum[dot]net hanmail[dot]net www.hanmail[dot]net 11st.co[dot]kr ----- www.11st.co[dot]kr auction.co[dot]kr www.auction.co[dot]kr ## Further Reading 1. https://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south korea-through-adware-and-exploit-kits-2/ 2. [https://malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html](https://malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html) 3. https://blog.fortinet.com/2016/04/23/over-100-000-south-korean-users-affected-by blackmoon-campaign 4. [https://nprotectsecurity.wordpress.com/tag/krbanker/](https://nprotectsecurity.wordpress.com/tag/krbanker/) 5. https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat Intelligence-Brief-2016-01-Big-Bong-Theory.pdf -----