{
	"id": "17464f04-4c57-43c2-a34d-40ec17a8640b",
	"created_at": "2026-04-06T00:15:35.087253Z",
	"updated_at": "2026-04-10T03:21:33.389679Z",
	"deleted_at": null,
	"sha1_hash": "92ba2f4058123dc717d82c4ed0aebcc3ac0f15b2",
	"title": "Old Blackmoon Trojan, NEW Monetization Approach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 518706,
	"plain_text": "Old Blackmoon Trojan, NEW Monetization Approach\r\nBy Natalie Zargarov\r\nPublished: 2023-07-13 · Archived: 2026-04-05 21:19:34 UTC\r\nRapid7 is tracking a new, more sophisticated and staged campaign using the Blackmoon trojan, which appears to\r\nhave originated in November 2022. The campaign is actively targeting various businesses primarily in the USA\r\nand Canada. However, it is not used to steal credentials, instead, it implements different evasion and persistence\r\ntechniques to drop several unwanted programs and stay in victims’ environment for as long as possible.\r\nBlackmoon, also known as KRBanker, is a banking trojan first spotted in late September 2015 when it was used to\r\ntarget banks of the Republic of Korea. Back in 2015, it employed a “pharming” technique to steal credentials from\r\ntargeted victims. This technique involved redirecting traffic to a forged website when a user attempts to access one\r\nof the banking sites being targeted by the cyber criminals. The fake site masquerades as the original site and urges\r\nvisitors to submit their information and credentials.\r\nStage 1 - Blackmoon\r\nThe Blackmoon trojan was named after a debug string “blackmoon,” that is present in its code:\r\nBlackmoon string found inside malware's code\r\nhttps://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nPage 1 of 8\n\nBlackmoon drops a dll into C:\\Windows\\Logs folder named RunDllExe.dll and implements a Port Monitor\r\npersistence technique. Port Monitors are related to the Windows Print Spooler Service or spoolsv.exe. When\r\nadding a printer Port Monitor, a user (or the attacker in our case) has the ability to add an arbitrary dll that acts as\r\nthe monitor. There are two ways to add a Port Monitor: via Windows Registry for persistence or via a AddMonitor\r\nAPI call for immediate dll execution.\r\nOur sample implements both, it calls AddMonitor API to immediately execute RunDllExe.dll:\r\nAddMonitorA API call\r\nIt also sets a driver value in HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\RunDllExe registry key\r\nto the malicious dll path.\r\nDriver value set under monitors registry key\r\nNext, the malware adds a shutdown system privilege to the Spooler service by adding SeShutdownPrivilege to the\r\nRequiredPrivileges value of HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Spooler registry\r\nkey.\r\nRequiredPrivileges data before and after the update\r\nThe malware disables Windows Defender by setting HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\r\nDefender\\DisableAntiSpyware value to “1”.\r\nIt also stops and disables “Lanman” service (the service that allows a computer to share files and printers with\r\nother devices on the network).\r\nTo block all incoming RPC and SMB communication the malware executes the set of following commands:\r\nnetsh ipsec static add policy name=Block\r\nnetsh ipsec static add filterlist name=Filter1\r\nnetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP\r\nnetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP\r\nnetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP\r\nnetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP\r\nnetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP\r\nnetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP\r\nnetsh ipsec static add filteraction name=FilteraAtion1 action=block\r\nnetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1\r\nnetsh ipsec static set policy name=Block assign=y\r\nhttps://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nPage 2 of 8\n\nThe malware sets two additional values under\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\aspnet_staters: Work and Mining, both set to\r\n“1”.\r\nNext, the malware checks if one of the following services exists on the victim’s computer:\r\nclr_optimization_v3.0.50727_32\r\nclr_optimization_v3.0.50727_64\r\nWinHelpsvcs\r\nServices\r\nHelp Service\r\nKuGouMusic\r\nWinDefender\r\nMsubridge\r\nChromeUpdater\r\nMicrosoftMysql\r\nMicrosoftMssql\r\nConhost\r\nMicrosotMaims\r\nMicrosotMais\r\nIf the service is found, it will be disabled (by setting “Start” value under\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename to “4”) or deleted by using the\r\nDeleteService API call.\r\nThe malware enumerates running processes by using a combination of CreateToolhelp32Snapshot and\r\nProcess32First and Process32Next API calls to terminate the service’s process (if one is running).\r\nFinally, a Powershell command is executed to delete the running process’ file and the malware exits.\r\nStage 2 - RunDllExe.dll - injector\r\nRunDllExe.dll is executed by Spooler service and is responsible for injecting a next stage payload into the newly\r\nexecuted svchost.exe process. The malware implements Process Hollowing injection technique. The injected code\r\nis a C++ file downloader.\r\nStage 3 - File Downloader\r\nThe downloader first checks if ‘Work’ and ‘Mining’ values exist and are set under\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\aspnet_staters registry key, if the values do\r\nnot exist, it will create them and set both to “1”.\r\nThis part of the attack flow checks if all the necessary downloaded files are present (by using PathFileExistsA API\r\ncall) on the PC,  if not, the malware sleeps for two minutes before every download and then uses the\r\nURLDownloadToFileA API call to download the following files:\r\nhttps://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nPage 3 of 8\n\nC:\\WINDOWS\\Temp\\MpMgSvc.dll\r\nC:\\WINDOWS\\Temp\\Hooks.exe\r\nC:\\WINDOWS\\Temp\\MpMgSvc.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v3.0\\WmiPrvSER.exe\r\nAfter the download, all files except MpMgSvc.dll are executed:\r\nExecution tree\r\nStage 4 - Hook.exe - dropper\r\nHook.exe drops an additional dll to the user’s roaming folder\r\nC:\\Users\\Username\\AppData\\Roaming\\GraphicsPerfSvcs.dll and creates a new service named GraphicsPerfSvcs,\r\nwhich will be automatically executed at system startup. The service’s name is almost identical to the legitimate\r\nservice named GraphicsPerfSvc, which belongs to the graphics performance monitor service. Naming services and\r\nfiles similarly to those that exist on the victim’s OS is an evasion technique widely used by threat actors.\r\nMalicious Service under the legitimate one\r\nThe dropper then starts the created service. It creates and executes a .vbs, which is responsible for deleting\r\nHook.exe and the .vbs itself:\r\nCreated .vbs\r\nStage 4.1 - MpMgSvc.exe - spreader MpMgSvc.exe first creates a new \\BaseNamedObjects\\Brute_2022 mutex.\r\nAs it is responsible for spreading the malware, it drops Doublepulsar-1.3.1.exe, Eternalblue-2.2.0.exe,\r\nEternalromance-1.4.0.exe and all required file libraries into the C:\\Windows\\Temp folder.\r\nThen, it scans the network for PC’s with open 3306, 445, 1433 ports. If any open ports are found, the spreader will\r\nattempt to install a backdoor by using EternalBlue and send shellcode to inject dll with Doublepulsar as\r\nimplemented in the Eternal-Pulsar github project .\r\nEternal-Pulsar commands in spreader memory\r\nThere are two dlls dropped, one for x64 architecture and the second one for x86. When injected by Doublepulsar,\r\nit will download the first stage Blackmoon malware and follow the same execution stages described in this\r\nanalysis.\r\nStage 4.2 - WmiPrvSER.exe - XMRig miner\r\nhttps://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nPage 4 of 8\n\nWmiPrvSER.exe is a classic XMRig Monero miner. Our sample is the XMRig version 6.18, and it creates a\r\nBaseNamedObjects\\\\Win__Host mutex on the victim’s host. You can find a full report on XMRig here.\r\nStage 5 - GraphicsPerfSvcs service - dropper\r\nAs mentioned in the previous stage, the GraphicsPerfSvcs service will be started automatically at system startup.\r\nEvery time it runs, it will check if two of the following files exist:\r\nC:\\Windows\\TEMP\\ctfmoon.exe\r\nC:\\Windows\\Microsoft.NET\\traffmonetizer\\Traffmonetizer.exe\r\nIf not found, it will drop both those files and all needed dlls for their execution.\r\nThe dropper also creates two new firewall rules that allow all outbound connections from dropped files by\r\nexecuting the following commands:\r\nnetsh advfirewall firewall add rule name=ctfmoon dir=out\r\nprogram=C:\\Windows\\Microsoft.NET\\ctfmoon.exe action=allow\r\nnetsh advfirewall firewall add rule name=traffmonetizer dir=out\r\nprogram=C:\\Windows\\Microsoft.NET\\traffmonetizer\\traffmonetizer.exe action=allow\r\nCtfmoon.exe firewall rule creation\r\nThe service stays up and constantly attempts to read from the URL: hxxp://down.ftp21[.]cc/Update.txt. At the time\r\nof the analysis, this URL was down so we were not able to observe its content. However, following the service\r\ncode, it seems to read the URL content and check if it contains one of the following commands:\r\n[Delete File], [Kill Proccess], or [Delete Service], which will delete file, kill process or delete service accordingly.\r\nStage 6 - Ctfmoon.exe and Traffmonetizer.exe - Traffic Stealers\r\nGraphicsPerfSvcs service executes two dropped files: Ctfmoon.exe and Traffmonetizer.exe, both appeared to be\r\nPotentially Unwanted Programs (PUP’s) in the form of traffic stealers. Both are using the “network bandwidth\r\nsharing” monetization scheme to make “passive income”.\r\nCtfmoon.exe is a cli version of the Iproyal Pawns application. It gets the user email address and password as\r\nexecution parameters to associate the activity and collect the money to the passed account. GraphicsPerfSvcs\r\nexecutes the following command line to start Iproyal Pawns: ctfmoon.exe -email=usax138@protonmail.com -\r\npassword=123456Aa. -device-name=Win32 -accept-tos\r\nWe can see that the user mentioned in our execution parameters already made $169:\r\nIproyal Pawns earnings from our sample\r\nhttps://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nPage 5 of 8\n\nThe Traffmonetizer.exe is similar to Ctfmoon.exe, created by Traffmonetizer. It reads the user account data from a\r\nsettings.json file dropped in users roaming directory. Our .json file contains the following content:\r\n{\"Token\":\"1gUgURMzQiuGFgttIdjeZBS0G6fqFlVvhCKlqzfHd3o=\",\"StartWithWindows\":false,\"Accepting\":true}.\r\nConclusion\r\nThe analysis in this blog reveals the efforts threat actors put into the attack flow, by using several evasion and\r\npersistence techniques as well as different approaches to make passive income using victims’ resources.\r\nMITRE ATT\u0026CK Techniques:\r\nPersistence\r\nBoot or Logon\r\nAutostart Execution:\r\nPort Monitors\r\n(T1547.010)\r\nThe Blackmoon trojan\r\n(a95737adb2cd7b1af2291d143200a82d8d32\r\na868c64fb4acc542608f56a0aeda) is using the Port Monitor\r\ntechnique to establish persistence on the target host.\r\nPersistence\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\n(T1543.003)\r\nThe Hook.exe dropper\r\n(1A7A4B5E7C645316A6AD59E26054A95\r\n654615219CC03657D6834C9DA7219E99F) creates a new\r\nservice to establish persistence on the target host.\r\nDefense\r\nEvasion\r\nProcess Injection:\r\nProcess Hollowing\r\n(T1055.012)\r\nThe dll dropped by Blackmoon\r\n(F5D508C816E485E05DF5F58450D623DC6B\r\nFA35A2A0682C238286D82B4B476FBB) is using the Process\r\nHollowing technique to evade endpoint security detection.\r\nDefense\r\nEvasion\r\nImpair Defenses:\r\nDisable or Modify\r\nTools (T1562.001)\r\nThe Blackmoon trojan (a95737adb2cd7b1af2291d143200a82d8\r\nd32a868c64fb4acc542608f56a0aeda) disables Windows Defender\r\nto evade end-point security detection.\r\nLateral\r\nMovement\r\nExploitation of\r\nRemote Services\r\n(T1210)\r\nThe MpMgSvc.exe spreader\r\n(72B0DA797EA4FC76BA4DB6AD131056257965D\r\nF9B2BCF26CE2189AF3DBEC5B1FC) uses EternalBlue and\r\nDoublePulsar to spread in organization’s environment.\r\nDiscovery\r\nNetwork Share\r\nDiscovery (T1135)\r\nThe MpMgSvc.exe spreader\r\n(72B0DA797EA4FC76BA4DB6AD131056257965D\r\nF9B2BCF26CE2189AF3DBEC5B1FC) scans the network to\r\ndiscover open SMB ports.\r\nImpact Resource Hijacking\r\n(T1496)\r\nThe XMRing miner\r\n(ECC5A64D97D4ADB41ED9332E4C0F5DC7DC02\r\nA64A77817438D27FC31C69F7C1D3), Iproyal Pawns\r\nctfmoon.exe (FDD762192D351CEA051C0170840F1D8D\r\nhttps://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nPage 6 of 8\n\n171F334F06313A17EBA97CACB5F1E6E1) and Traffmonetizer\r\ntrafficStealer (2923EACD0C99A2D385F7C989882B7CCA\r\n83BFF133ECF176FDB411F8D17E7EF265) are executed to use\r\nvictims’ resources.\r\nImpact Service Stop (T1489)\r\nThe Blackmoon trojan (a95737adb2cd7b1af2291d143200a82d8d\r\n32a868c64fb4acc542608f56a0aeda) stops updates and security\r\nproducts services.\r\nCommand\r\nand Control\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\n(T1071.001)\r\nThe downloader\r\n(E9A83C8811E7D7A6BF7EA7A656041BCD68968\r\n7F8B23FA7655B28A8053F67BE99) downloads the next stage\r\npayloads over the HTTP protocol.\r\nGraphicsPerfSvcs service\r\n(5AF88DBDC7F53BA359DDC47C3BCAF3F5FE\r\n9BDE83211A6FF98556AF7E38CDA72B) uses HTTP protocol to\r\nget command from C\u0026C server.\r\nIOC’s\r\nFile name SHA-256\r\n445.exe\r\na95737adb2cd7b1af2291d143200a82\r\nd8d32a868c64fb4acc542608f56a0aeda\r\nBlackmoon\r\nTrojan\r\nRunDllExe.dll\r\nF5D508C816E485E05DF5F58450D623DC\r\n6BFA35A2A0682C238286D82B4B476FBB\r\nInjector\r\nInjected code\r\nE9A83C8811E7D7A6BF7EA7A656041BCD\r\n689687F8B23FA7655B28A8053F67BE99\r\nDownloader\r\nMpMgSvc.dll\r\nE9BD4A9C6EA27033BCB696E65D7441DC2D\r\n42CD7F9F02084B5C704316F0A4FDDF\r\nHooks.exe\r\n1A7A4B5E7C645316A6AD59E26054A95654615\r\n219CC03657D6834C9DA7219E99F\r\nDropper\r\nMpMgSvc.exe\r\n72B0DA797EA4FC76BA4DB6AD131056257965\r\nDF9B2BCF26CE2189AF3DBEC5B1FC\r\nSpreader\r\nWmiPrvSER.exe\r\nECC5A64D97D4ADB41ED9332E4C0F5DC7DC02\r\nA64A77817438D27FC31C69F7C1D3\r\nXMRig\r\nGraphicsPerfSvcs.dll\r\n5AF88DBDC7F53BA359DDC47C3BCAF3F5FE9BDE\r\n83211A6FF98556AF7E38CDA72B\r\nDropper\r\nhttps://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nPage 7 of 8\n\nFile name SHA-256\r\nDoublepulsar-1.3.1.exe\r\n15FFBB8D382CD2FF7B0BD4C87A7C0BFFD1541\r\nC2FE86865AF445123BC0B770D13\r\nShellcode\r\ninstaller\r\nEternalblue-2.2.0.exe\r\n85B936960FBE5100C170B777E1647CE9F0F0\r\n1E3AB9742DFC23F37CB0825B30B5\r\nExploit\r\nEternalromance-1.4.0.exe\r\nB99C3CC1ACBB085C9A895A8C3510F6DAA\r\nF31F0D2D9CCB8477C7FB7119376F57B\r\nExploit\r\nX64.dll\r\n275A9A7B99F3474CBF8A61964A6022E3CF\r\n7BAF76E0EE2FBA31A708D8F1E25BD0\r\nshellcode\r\nX86.dll\r\nF247A48D3ECDBDF91FCD7A2D8728ADAAF\r\n06149586ADDE62DE7212C6DE645AD58\r\nshellcode\r\nCtfmoon.exe\r\nFDD762192D351CEA051C0170840F1D8D171\r\nF334F06313A17EBA97CACB5F1E6E1\r\nIproyal Pawns\r\nTraffmonetizer.exe\r\n2923EACD0C99A2D385F7C989882B7CCA8\r\n3BFF133ECF176FDB411F8D17E7EF265\r\nTraffmonetizer\r\nusax138@protonmail.com\r\nIproyal Pawns\r\naccount\r\n1gUgURMzQiuGFgttIdjeZBS0\r\nG6fqFlVvhCKlqzfHd3o=\r\nTraffmonetizer\r\ntoken\r\nhxxp://down.ftp21[.]cc C\u0026C server\r\nReferences\r\nhttps://posts.slayerlabs.com/monitor-persistence/\r\nDownload Rapid7's Annual Vulnerability Intelligence Report ▶︎\r\nSource: https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nhttps://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/"
	],
	"report_names": [
		"old-blackmoon-trojan-new-monetization-approach"
	],
	"threat_actors": [],
	"ts_created_at": 1775434535,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/92ba2f4058123dc717d82c4ed0aebcc3ac0f15b2.pdf",
		"text": "https://archive.orkl.eu/92ba2f4058123dc717d82c4ed0aebcc3ac0f15b2.txt",
		"img": "https://archive.orkl.eu/92ba2f4058123dc717d82c4ed0aebcc3ac0f15b2.jpg"
	}
}