Blackmoon Banking Trojan Uses Three-tiered Malware Delivery Technique

Banking Trojans have often been a favorite tool among criminals looking for financial gain. Blackmoon is one of the most recent banking Trojans making the rounds, yet it caused quite a lot of confusion. Up until a few days ago, security experts were unsure how the malware spreads itself. It appears that the mystery has been finally uncovered, although that doesn’t mean Blackmoon becomes less of a threat.

Blackmoon Banking Trojan is A Big Problem

Dealing with new types of malware is annoying enough, but not knowing how it is distributed is one of the worst possible scenarios. This was the case for the Blackmoon banking Trojan, albeit security researchers finally uncovered how the malware is distributed. It appears a new framework is being used to infect victims all over the world.

Blackmoon, also known as KRBanker, is designed to steal user credentials for online banking portals. Interestingly enough, this malware has been around since 2014 and has undergone several iterations and improvements over the past few years. The latest update comes in the of using this new framework to infect new victims. It is worrisome to learn such a banking Trojan can be around for nearly three years without being shut down, though.

This new framework to infect potential victims uses a three-tiered approach. It is something security researchers have not come across before, which is a very troublesome development. Moreover, it goes to show the Blackmoon developers have put a lot of thought into this new approach, rather than rehashing something a different developer came up with.

Three separate downloader pieces work together to determine the next potential victim for Blackmoon. Once the Trojan is installed, it will start looking for login credentials to popular financial services. This includes the likes of Samsung Pay, as well, which means mobile payment solutions have now become a prominent target for criminals. Other – mainly South Korean – financial solutions are targeted as well by this banking Trojan.

The first part of the malware downloader is sent through phishing campaigns or exploit kits. In this file is a hard-coded URL requesting additional bytecode to be downloaded. It is unclear where this code is stored, as the developers obfuscate this location. Once the bytecode is downloaded and executed, it will look for the next part to download. A sequential series of events to install a banking Trojan is quite the novelty and may prove very difficult to shut down.

It is also interesting to note Blackmoon will determine whether or not the infected device runs in the Korean language. If that is not the case, the Blackmoon banking Trojan will go dormant. An interesting turn of events, to say the least. For now, the goal is to try and break any obfuscation efforts made by his three downloaded files. That will prove to be quite challenging, though. Rest assured Blackmoon will not go away anytime soon.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.