New clues have surfaced on how the Blackmoon banking Trojan is infecting its victims using a new framework to deliver the malware.
“We noticed recent campaigns (two weeks ago) where Blackmoon had shifted its infection strategy and is now utilizing a unique and interesting technique,” said Hardik Modi, vice president of threat research at Fidelis Cybersecurity in an interview with Threatpost.
Blackmoon, also known as KRBanker, is a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.
Now, according to Fidelis, the group behind Blackmoon has adopted a clever new three-stage technique for installing the malware onto victim’s computers. Fidelis calls it the Blackmoon Downloader Framework, describing it in a technical analysis that was posted Thursday.
“This framework is unique, not because it is groundbreaking in technique, but because it’s well thought out. The staging utilizes a number of very clever obfuscation techniques that make it very effective at finding desirable targets and infecting them with the Blackmoon Trojan,” Modi said.
The framework includes three separate downloader pieces that work together to identify targets and deliver the malware. Once installed, the banking Trojan is operating against many South Korean businesses including Samsung Pay, Citibank Korea, Hana Financial Group and KB Financial Group, according to Fidelis.
The Blackmoon infection chain begins with a small 10KB file either sent via a phishing attack that includes a malicious attachment or an exploit kit that takes advantage of a browser vulnerability. The dropper file contains a hard coded URL that requests additional bytecode around 8KB in size and includes no obfuscation.
Adversaries cleverly hide that hardcoded URL in plain sight. “The string for the download location of the bytecode URL is hidden by moving a single character at a time into position,” noted Fidelis. (see right) Next, the bytecode is downloaded to the targeted system.
“Upon execution, the downloaded bytecode simply resolves any functions it will need. It then decodes an onboard blob of data with a single byte XOR. This contains the URL for the next download, which we observed to be a single-byte XORd PE (portable executable) file named as a jpg,” according to researchers.
“The naming of this entire structure is interesting,” researchers wrote. That’s because the bytecode is downloaded from the file path “/ad_##/cod##” and the PE file downloaded as “/ad_##/test##.jpg”.
This naming convention, according to Fidelis, suggests to it that all of these files are built at the same time, which would make each number a build number and suggest none of the files are generated on the fly and are hardcoded.
“Based on this information, we conclude that the stages of the framework were all built to operate together in this sequence of events,” Fidelis wrote.
Stage three involves the retrieval of the fake jpg file. This file serves two purposes. One is to verify the default language on targeted systems is Korean. When the default language is not Korean, the program goes dormant. Stage three also includes obfuscating command and control communications.
Fidelis points out that this last stage of the Blackmoon framework uses a string encoding technique that has been previously discussed by researchers from Palo Alto Networks. “The framework, related to KRBanker/Blackmoon, encodes the strings with base64, swaps the case of the letters, and replaces the padding character ‘=’ Swith ‘@’,” wrote Fidelis.
Fidelis believes one of the purposes of this obfuscation is to cloak the decoding of the C2 address that framework uses. “After check-in, the bot writes the downloaded exe file, along with random appended overlay data, to %TEMP% and then executes the program before deleting itself,” according to the research. The program is the last stage for delivering the malware.
The sample of the Blackmoon malware Fidelis examined is similar to previous variants–attackers steal credentials by performing man-in-the-browser attacks. According to Modi, man-in-the-browser attacks traced back to Blackmoon malware are responsible for stealing credentials of 150,000 Koreans in July 2016.
“For a crime campaign of this nature where Blackmoon or other Trojans are delivered, we have never seen this type of investment,” Modi said. “With this technique, it is clear adversaries are putting a considerable effort into each of these stages. That, to us, is what is unique about these campaigns.”