{
	"id": "55a4d2b0-d4f6-4d04-9c18-0b5e152f1412",
	"created_at": "2026-04-06T03:36:54.895601Z",
	"updated_at": "2026-04-10T03:20:55.970444Z",
	"deleted_at": null,
	"sha1_hash": "fa3b79548dc766852c62c32f07d85acf63d0298d",
	"title": "KRBanker Targets South Korea Through Adware and Exploit Kits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1047003,
	"plain_text": "KRBanker Targets South Korea Through Adware and Exploit Kits\r\nBy Vicky Ray, Kaoru Hayashi\r\nPublished: 2016-05-09 · Archived: 2026-04-06 03:24:34 UTC\r\nOnline banking services have been a prime target of cyber criminals for many years and attacks continue to grow.\r\nTargeting online banking users and stealing their credentials has yielded huge profits for the criminals behind\r\nthese campaigns. Unit 42 has been tracking \"KRBanker\" AKA 'Blackmoon', since late last year. This campaign\r\nspecifically targets banks of the Republic of Korea. On April 23, researchers at Fortinet published a blog\r\ndescribing the functionalities of the recent 'Blackmoon' campaign. Our objective in this blog is to share additional\r\ndetails on the distribution of the KRBanker or Blackmoon malware campaign and indicators of KRBanker\r\nsamples.\r\nEarly variants of this campaign started surfacing in late September 2015. Though the number of KRBanker\r\ninfection attempts was relatively low in 2015, we have noticed a gradual increase in the number of sessions since\r\nthe start of 2016, and identified close to 2,000 unique samples of KRBanker and 200+ pharming server addresses\r\nin the last 6 months.\r\nFigure 1 KRBanker download sessions on Autofocus\r\nMalware Distribution\r\nOur analysis shows that KRBanker has been distributed through web exploit kits (EK) and a malicious Adware\r\ncampaign. The exploit kit used for installing KRBanker is known as KaiXin and the Adware which distributes it is\r\ncalled NEWSPOT.\r\nIn March 2016, Unit 42's Brad Duncan wrote two articles for SANS and Malware-Traffic-Analysis.Net, noting\r\nthat the KaiXin EK is observed in Republic of Korea. In those cases, malicious JavaScript through compromised\r\nweb sites or advertisements led to the EK that exploited Adobe Flash vulnerabilities CVE-2014-0569 or CVE-2015-3133. We confirmed that final payload in both cases was KRBanker.\r\nAnother distribution channel is a malicious Adware program, called NEWSPOT. According to the marketing\r\ndocument of the product, NEWSPOT guarantees 300% revenue growth for online shopping sites . NEWSPOT is a\r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nPage 1 of 8\n\nbasic adware program that displays advertisements in browsers, but since at least November 2015 has started\r\ninstalling malware.When visiting some Korean websites, a user may notice a pop-up of a browser add-on\r\nrequesting installation for NEWSPOT.\r\nFigure 2 Installing NEWSPOT tool\r\nIf installed, the adware is executed on the computer and starts getting configuration from the following URL:\r\nwww.newspot[.]kr/config.php?sUID=[web site name]\r\nIt downloads a file from URL described in the \u003cupdate\u003e section within the configuration data returned by the\r\nserver.\r\nFigure 3 Configuration file contains download link to malware\r\nThis might have originally been used to update the NEWSPOT software, but we have confirmed that Banking\r\nTrojans like KRBanker and Venik has been installed through this update channel. Figure 4 shows the URLs:\r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nPage 2 of 8\n\nFigure 4 Downloading Banking Trojans from NEWSPOT update channel\r\nExecution\r\nKRBanker uses Process Hollowing to execute its main code in a clean (non-suspicious) executable. The process is\r\nas follows:\r\n1. KRBanker executes a clean PE file in System directory.\r\n2. Windows loads the PE file into memory.\r\n3. KRBanker overwrites the whole clean process with its own (malicious) main module.\r\n4. Overwritten process starts malicious activity.\r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nPage 3 of 8\n\nFigure 5 Execution Steps\r\nFigure 6 Execution Steps (cont.)\r\nAfter a successful execution the Windows Firewall alerts the user on the process attempting to access the Internet.\r\nMany users may allow this activity because the process originally involved a clean Microsoft file.\r\nFigure 7 Windows Firewall Alert\r\nPharming\r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nPage 4 of 8\n\nBanking trojans like Dridex or Vawtrak mainly employ Man-in-the-browser(MitB) techniques to steal credentials\r\nfrom targeted victims. However, KRBanker uses a different technique known as “pharming.” This technique\r\ninvolves redirecting traffic to a forged website when a user attempts to access one of the banking sites being\r\ntargeted by the cyber criminals. The fake server masquerades the original site and urges visitors to submit their\r\ninformation and credentials.\r\nSet Up\r\nThe IP address of the fraudulent server is not hard-coded in the malware. KRBanker obtains the server address by\r\naccessing Chinese SNS, Qzone through a Web API. The API provides basic user information by sending QQ\r\nnumber to the following URL.\r\nusers.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=[QQ ID Number]\r\nThe server then responds with the QQ ID Number, link to picture, nick name and some other information from\r\nSNS profile identified by the QQ ID Number. The author of the trojan put the Pharming server address in the\r\n\"nickname\" field.\r\nFollowing is an example response that contains the IP address, 23.107.204[.]38 which is then extracted by\r\nKRBanker for Pharming.\r\nFigure 8 Receiving IP address for Pharming from QZone\r\nNext, KRBanker gets the MAC Address using an embedded VBScript and code page by executing GetOEMCP()\r\nAPI on the compromised system. It then registers the compromised system with the C2 server by sending the\r\nfollowing HTTP GET request:\r\nhttp://[IP address]/ca.php?m=[encoded MAC Address]\u0026h=[code page]\r\nProxy Auto-Config\r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nPage 5 of 8\n\nResearchers at ALYac had reported previously, on KRBanker employing hosts file modification and local DNS\r\nproxy techniques to redirect HTTP traffic. The latest version of the threat employs Proxy Auto-Config(PAC), a\r\nlegitimate function on Windows and Network administrators that can define an appropriate proxy address for each\r\nURL by writing JavaScript, and was also mentioned by Fortinet on their blog post. The adversaries abuse this\r\nfeature for Pharming.\r\nTo configure this, the Trojan starts a local proxy server and creates the following registry entry.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL =\r\nhttp://127.0.0.1:[random]/[random]\r\nThe local proxy hosts encrypted JavaScript.\r\nFigure 9 Malicious JavaScript for Proxy Auto-Config\r\nAfter decrypting the JavaScript we can see the function for PAC, FindProxyForURL() which is used to check for a\r\nlist of targeted sites.\r\nFigure 10 Decrypted malicious JavaScript\r\nWhen the browser attempts to connect to a web server, the traffic goes to the local proxy. The malicious JavaScript\r\non the Proxy PAC checks the domain with the list of targets using the FindProxyForURL() function. If the domain\r\nbeing accessed matches with any of the targets from the list, the traffic goes to a fraudulent server. If not, it goes to\r\nthe legitimate domain being requested.\r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nPage 6 of 8\n\nFigure 11 Redirecting traffic by Proxy Auto-Config\r\nCurrent, KRBanker is targeting a large list of Korean financial institutions using this Pharming attack.\r\nWhen a compromised user visits one of the targeted websites, the user will see a page like the one shown in Figure\r\n12 below. It appears to look like a legitimate webpage with a valid URL displayed on the address bar of the\r\nbrowser. However, this is a fake website for stealing the credentials and account information of the victims.\r\nFigure 12 Fake Authorized Certification Center for renewal\r\nKRBanker is also capable of taking the following actions:\r\nStealing certification from NPKI directory in order to access online bankingaccounts\r\nTerminating Ahnlab’s V3 security software\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nPage 7 of 8\n\nProfit is the primary motivator for attackers who use banking Trojans. The adversary behind KRBanker has been\r\ndeveloping new distribution channels, evolving the pharming techniques multiple times, and releasing new\r\nvariants on a daily basis to maximize the revenue from victims.\r\nAs described in this article, the threat is distributed through Exploit Kits that exploit old vulnerabilities and\r\nAdware that needs to be manually installed. It is essential to understand the infection vectors of such campaigns to\r\nminimize the impact. Palo Alto Networks Autofocus users can track this threat using the 'KRBanker' Autofocus\r\ntag.\r\nIndicators\r\nThe indicators on KRBanker can be found on Unit 42's github page below\r\nhttps://github.com/pan-unit42/iocs/blob/master/krbanker/hashes.txt\r\nSource: https://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nhttps://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/"
	],
	"report_names": [
		"unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775446614,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa3b79548dc766852c62c32f07d85acf63d0298d.pdf",
		"text": "https://archive.orkl.eu/fa3b79548dc766852c62c32f07d85acf63d0298d.txt",
		"img": "https://archive.orkl.eu/fa3b79548dc766852c62c32f07d85acf63d0298d.jpg"
	}
}