Banking Trojan BlackMoon Steals Credentials From Over 100,000 South Koreans

By Joseph Lorenz on July 25, 2016


BlackMoon is a banking trojan that has already infected 110,130 victims worldwide and 108,850 in South Korea.  According to Fortinet, between May 10, 2016 and July 19, 2016 the criminals were able to gain an additional 62,659 new victims(61,255 of them being from South Korea).  It was first discovered in 2014, and uses proxy auto-config files(PAC) to hijack a user’s Internet traffic and sniff for URLs that exist in the configuration file, the user is then redirected to a phishing page that mimics the real banking portal where the criminals collect their banking credentials.

Security experts at Fortinet were able to find an open-access directory that belongs to one of the BlackMoon Command & Control servers. This allows researchers to study these cyber criminals and pinpoint their methods of operation. When researchers analyzed the log files found on the C&C server it revealed that the criminals used BlackMoon configuration files that target 61 South Korean financial institutions.

Fortinet continues to monitor the server and says it is connecting to 341 other C&C servers hosted on 26 different hosting companies. Twelve of them in the United States, eleven in China, and four in Hong Kong. The name of the C&C server and comments found in the source code are in Chinese, these indicators led researchers to believe that the cyber-gang may be of Chinese origin.